The most severe 0-day would give an attacker free rein over buildings, allowing them to access the entire badge system database

Tenable’s research team announced have discovered several zero-day vulnerabilities in the PremiSys access control system developed by IDenticard (CVE-2019-3906, CVE-2019-3907, CVE-2019-3908, CVE-2019-3909 affect version 3.1.190), which offers key card access to offices and buildings.

The most severe 0-day would give an attacker free rein over buildings, allowing them to access the entire badge system database. With this access, an attacker could:

* Covertly enter buildings by creating fraudulent badges and disabling building locks
* Use administrator privileges to do things like download the full contents of the system database, modify its contents or delete users
* IDenticard has tens of thousands of global customers, including Fortune 500 companies, K-12 schools, universities, medical centres and government agencies.

As the physical and digital worlds collide, thanks to the mass adoption of IoT and smart devices, an organisation’s security purview is no longer walled off by a physical perimeter or firewall. The PremiSys 0-days serve as a somber reality check of the potential dangers created by digital transformation and the expanding attack surface.  

Tenable Research disclosed the vulnerabilities to IDenticard following standard procedures outlined in its vulnerability disclosure policy and made multiple attempts to contact them.