Flawed visitor check-in systems let anyone steal guest logs and sneak into buildings

Security researchers at IBM have found, reported and disclosed 19 vulnerabilities in five popular visitor management systems, which they say can be used to steal data on visitors — or even sneak into sensitive and off-limit areas of office buildings.

You’ve probably seen one of these visitor check-in systems before: they’re often found in lobbies or reception areas of office buildings to check staff and visitors onto the work floor. Visitors check in with their name and who they’re meeting using the touch-screen display or tablet, and a name badge is either printed or issued.

But the IBM researchers say flaws in these systems provided “a false sense of security.”

The researchers examined five of the most popular systems: Lobby Track Desktop, built by Jolly Technologies, had seven vulnerabilities; eVisitorPass, recently rebranded as Threshold Security, had five vulnerabilities; EasyLobby Solo, built by HID Global, had four vulnerabilities; Envoy’s flagship Passport system had two vulnerabilities; and The Receptionist, an iPad app, had one vulnerability.

According to IBM, the vulnerabilities could only be exploited by someone physically at check-in. The bugs ranged from allowing someone to download visitor logs, such as names, driver license and Social Security data, and phone numbers; or in some cases, the buggy software could be exploited to escape “kiosk” mode, allowing access to the underlying operating system, which the researchers say could be used to pivot to other applications and on the network, if connected.

Worse of all, the use of default admin credentials that would give “allow complete control of the application,” such as the ability to edit the visitor database. Some systems “can even issue and provision RFID badges, giving an attacker a key to open doors,” the researchers wrote.

Daniel Crowley, research director at IBM X-Force Red, the company’s pen-testing and vulnerability hunting team, told TechCrunch that all of the companies responded to the team’s findings.

“Some responded much more quickly than others,” said Crowley. “The Lobby Track vulnerabilities were acknowledged by Jolly Technologies, but they stated that the issues can be addressed through configuration options. X-Force Red tested the Lobby Track software in its default configuration,” he added.

We contacted the companies and received — for the most part — dismal responses.

Kate Miller, a spokesperson for Envoy, confirmed it fixed the bugs but “customer and visitor data was never at risk.”

Andy Alsop, chief executive of The Receptionist, did not respond to a request for comment but instead automatically signed us up to a mailing list without our permission, which we swiftly unsubscribed from. When reached, Michael Ashford, director of marketing, did not comment.

David Jordan, a representative for Jolly, declined to comment. And, neither Threshold Security and HID Global responded to our requests for comment.