GeoVision, a Taiwanese fingerprint scanner, access control, and surveillance tech manufacturer, fixed critical vulnerabilities in their devices that could be abused by hackers and nation-state threat actors.
During a network security audit last year, Acronis discovered numerous vulnerabilities in GeoVision devices that could allow users to gain full and unauthorized access to the cameras.
The findings are important because vulnerabilities in mission-critical devices such as biometric fingerprint scanners, surveillance cameras, and other security IoTs could be exploited by nation-state actors to intercept traffic and conduct espionage.
The vulnerabilities
In a new report by Acronis, researchers disclose numerous vulnerabilities in GeoVision surveillance equipment and fingerprinter scanners.
"Acronis’ security team found four critical vulnerabilities in GeoVision's devices, including a backdoor password with admin privileges, the reuse of cryptographic keys, and the disclosure of private keys to everyone. All of these vulnerabilities could allow state-sponsored attackers to intercept potential traffic," Acronis' report states.
The CVEs made public by Acronis include CVE-2020-3928, CVE-2020-3930, and CVE-2020-3929, and were found in fingerprint scanners, access card scanners, and access management appliances being used around the world.