Researchers at cybersecurity firm Tenable have discovered a number of previously unknown vulnerabilities in the access control systems of an ID card manufacturer and service provider used by federal agencies, including the Executive Office of the President.

Tenable researchers announced Monday they had found several weaknesses in the control system used by IDenticard, called PremiSys, which if exploited could allow an unauthorized person to gain access to secure buildings and disable locks, as well as exfiltrate user data or otherwise modify accounts using administrator privileges.

According to a blog posted Monday, the PremiSys system uses hardcoded usernames and passwords for administrator credentials that cannot be changed by the customers. The system also uses default usernames and passwords for database access, which the users can only change by sending preferred passwords to IDenticard, an additional step that some might not take, opting instead to leave the default credentials in place.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/01/researchers-flaws-vendor-security-software-could-leave-some-federal-buildings-vulnerable/154231/