"Flaw Found in Biometric ID Devices"
Security researchers at Positive Technologies have discovered a critical vulnerability in more than ten devices that use biometric identification to control access to protected areas. The flaw can be exploited to unlock doors and open turnstiles, giving attackers a way to bypass biometric ID checks and physically enter controlled spaces. Acting remotely, threat actors could use the vulnerability to run commands without authentication to unlock a door or turnstile or trigger a terminal reboot to cause a denial of service. The critical vulnerability impacts 11 biometric identification devices made by IDEMIA. The researchers stated that the impacted devices are used in the “world’s largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities.” The critical vulnerability (VU-2021-004) has received a score of 9.1 out of 10 on the CVSS v3 scale, with ten being the most severe. The IDEMIA devices affected by the vulnerability are MorphoWave Compact MD, MorphoWave Compact MDPI, MorphoWave Compact MDPI-M, VisionPass MD, VisionPass MDPI, VisionPass MDPI-M, SIGMA Lite (all versions), SIGMA Lite+ (all versions), SIGMA Wide (all versions), SIGMA Extreme and MA VP MD. The researchers stated that enabling and correctly configuring the TLS protocol according to Section 7 of the IDEMIA Secure Installation Guidelines will eliminate the vulnerability. IDEMIA, after learning about the vulnerability, has said it will make TLS activation mandatory by default in future firmware versions.