Researchers discovered that a popular building access control system made by IDenticard contains vulnerabilities that can be exploited to create fake badges, disable door locks, and obtain or modify user data.
IDenticard is a US-based provider of ID, access and security solutions. On its website, the company says it has tens of thousands of customers around the world, including Fortune 500 companies, educational institutions, medical centers, factories, and government agencies.
PremiSys is an access control and photo ID solution that provides organizations a wide range of features for a comprehensive access control program, including for granting or restricting access to specific doors, locking down facilities, controlling door alarms, viewing integrated surveillance video, and creating detailed reports.
Researchers at Tenable discovered that the product is affected by several potentially serious vulnerabilities. One of them is related to the existence of a hardcoded backdoor account that can give an attacker admin access to the service. This access can be leveraged to enter the badge system database and modify its content.