In a report shared exclusively with The Hacker News, enterprise security firm Acronis said it discovered the vulnerabilities last year following a routine security audit of a Singapore-based major retailer.
"Malicious attackers can establish persistence on the network and spy on internal users, steal data — without ever getting detected," Acronis said. "They can reuse your fingerprint data to enter your home and/or personal devices, and photos can be easily reused by malicious actors to perpetrate identity theft based on biometric data."
In all, the flaws affect at least 6 device families, with over 2,500 vulnerable devices discovered online across Brazil, US, Germany, Taiwan, and Japan, aside from thousands of other devices capable of being remotely compromised.
The first issue concerns a previously undocumented root password that permits an attacker backdoor access to a device by simply using the default password ("admin") and remotely log in to the vulnerable device (e.g., https://ip.of.the.device/isshd.htm).
A second flaw involves the use of hardcoded shared cryptographic private keys when authenticating via SSH, while a third vulnerability makes it possible to access system logs on the device (e.g., at https://ip.of.the.device/messages.txt and at https://ip.of.the.device/messages.old.txt) without any authentication.
Lastly, there exists a buffer overflow vulnerability in the firmware impacting GeoVision's fingerprint readers that allows attackers to run unauthorized code on the devices. It requires no prior authentication. Even more troublingly, it has a CVSS rating of 10, making it a critical flaw.
Acronis said it initially approached GeoVision last August, subsequently twice in September and December, in addition to contacting SingCERT with their findings. But it wasn't until early this month that GeoVision issued fixes for three of the flaws (version 1.22) while leaving the buffer overflow vulnerability unpatched.
The flaws were also acknowledged by Taiwan's Computer Emergency Response Team (TWCERT), which published advisories for the three bugs — CVE-2020-3928, CVE-2020-3929, and CVE-2020-3930 — confirming the firmware fixes and the availability of the new version.
Besides this, without disclosing technical information on the fourth critical remote code execution flaw that the company left unpatched, we can mention that it could let attackers leverage a vulnerable parameter to overwrite memory structures responsible for memory management.
The flaw eventually overwrites the pointers in particular structures, allowing attackers to redirect the program's execution flow to their own malicious code and perform different commands.
We have reached out to GeoVision to ask for their comment on the disclosures, but we did not receive a response before this article's publication.
"Once the attacker gets full control over the device, he/she is free to install their own malicious firmware — after which it will be almost impossible to evict them from the network," Acronis CISO CISO Kevin Reed and Security Researcher Alex Koshelev said.
"It's quite surreal seeing some vendors not rushing to fix critical vulnerabilities — in addition to the low quality of the initial source code, the presence of back doors is concerning. It shows that IoT security is flawed, and each company must understand that using such devices can leave them exposed to prolonged unmitigated risks."