Backdoor in Taiwanese Fingerprint and Card scanner, GeoVision allows hackers to steal your fingerprints
Biometrics is one of the most used user authentication modes world over. We visit any office or any company, we see fingerprint scanners or retina scanners at the gates that virtually control our entry to the premises. A Taiwanese company, GeoVision is one of the top manufacturers of such fingerprint and card scanners.
Geovision had a backdoor in its access control system that stored all the logged fingerprints and card data. According to an enterprise security firm, Acronis, it discovered four critical flaws that could allow hackers to gain access to the Geovision access control system and steal the stored fingerprints.
Acronis researchers found four critical vulnerabilities in GeoVision’s devices, including a backdoor password with admin privileges. Another critical vulnerability allowed potential hackers to reuse cryptographic keys while the fourth one disclosed private keys to everyone.
Acronis report assumes importance because Geovision devices are used by government companies and even militaries to control access to their installations. If potential state-backed hackers exploited these Geovision vulnerabilities, they could use the fingerprints and other data to hack into government systems and military installations.
Malicious attackers can establish persistence on the network and spy on internal users, steal data — without ever getting detected. They can reuse your fingerprint data to enter your home and/or personal devices, and photos can be easily reused by malicious actors to perpetrate identity theft based on biometric data.
Acronis researchers found that at least six Geovision made models were vulnerable to these flaws. Acronis has given the flaws unique identifiers viz CVE-2020-3928, CVE-2020-3930, and CVE-2020-3929. The six models include fingerprint scanners, access card scanners, and access management appliances being used around the world.
- GV-AS210 (http://classic.geovision.com.tw/english/Prod_GVAS210.asp) versions 2.20, 2.21
- GV-AS410 (http://classic.geovision.com.tw/english/Prod_GVAS410.asp) versions 2.20, 2.21
- GV-AS810 (http://classic.geovision.com.tw/english/Prod_GVAS810.asp) version 2.20, 2.21
- GV-GF192x (http://www.geovision.com.tw/product/GV-GF1921%20GV-GF1922) version 1.10
- GV-AS1010 (http://www.geovision.com.tw/product/GV-AS1010) version 1.32
A simple Shodan or Censys.io search reveals 2,500 Geovision made vulnerable devices are online across Brazil, US, Germany, Taiwan, and Japan, aside from thousands of other devices capable of being remotely compromised.
Acronis reached out to the manufacturer, Geovision. Geovision has patched three out of the four vulnerabilities and is in the process of fixing the fourth. But the fixes are meaningless as many users don’t update firmware regularly leaving their Geovision access control system vulnerable to potential hackers.