GeoVision, a Taiwanese manufacturer of video surveillance systems and IP cameras, recently patched three of the four critical flaws impacting its card and fingerprint scanners that could’ve potentially allowed attackers to intercept network traffic and stage man-in-the-middle attacks.
In a report shared exclusively with The Hacker News, enterprise security firm Acronis said it discovered the vulnerabilities last year following a routine security audit of a Singapore-based major retailer.
“Malicious attackers can establish persistence on the network and spy on internal users, steal data — without ever getting detected,” Acronis said. “They can reuse your fingerprint data to enter your home and/or personal devices, and photos can be easily reused by malicious actors to perpetrate identity theft based on biometric data.”
In all, the flaws affect at least 6 device families, with over 2,500 vulnerable devices discovered online across Brazil, US, Germany, Taiwan, and Japan, aside from thousands of other devices capable of being remotely compromised.
The first issue concerns a previously undocumented root password that permits an attacker backdoor access to a device by simply using the default password (“admin”) and remotely log in to the vulnerable device (e.g., https://ip.of.the.device/isshd.htm).
A second flaw involves the use of hardcoded shared cryptographic private keys when authenticating via SSH, while a third vulnerability makes it possible to access system logs on the device (e.g., at https://ip.of.the.device/messages.txt and at https://ip.of.the.device/messages.old.txt) without any authentication.
images from Hacker News