Positive Technologies researchers, Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin have discovered a critical vulnerability (VU-2021-004) in IDEMIA biometric identification devices used in the world’s largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities.
By exploiting the flaw, which received a score of 9.1 on the CVSS v3 scale, attackers can unlock doors and turnstiles. Researchers say the forced use of TLS as a management protocol will help eliminate the risk of biometric identification bypass.
“The vulnerability has been identified in several lines of biometric readers for the IDEMIA ACS equipped with fingerprint scanners and combined devices that analyze fingerprints and vein patterns,” explains Vladimir Nazarov, Head of ICS Security, Positive Technologies. “An attacker can potentially exploit the flaw to enter a protected area or disable access control systems.”
Below is a list of devices affected by this vulnerability:
# MorphoWave Compact MD
# MorphoWave Compact MDPI
# MorphoWave Compact MDPI-M
# VisionPass MD
# VisionPass MDPI
# VisionPass MDPI-M
# SIGMA Lite
# SIGMA Lite+
# SIGMA Wide
# SIGMA Extreme
# MA VP MD
To eliminate the vulnerability, enable and correctly configure the TLS protocol according to Section 7 of the IDEMIA Secure Installation Guidelines. In future firmware versions, IDEMIA will make TLS activation mandatory by default. In July 2021, IDEMIA fixed three vulnerabilities discovered by Positive Technologies experts.