According to James Sebree with Tenable Research, version 3.1.190 of PremiSys by IDenticard contains a backdoor that can allow an attacker access to administrative functions including adding, editing, and deletion of users in the badging system; assigning of permissions; and control over the readers within the building.

PremiSys is built on the .Net framework, so Sebree was able to reverse engineer the software by using Jetbrain’s "dotPeek" .Net decompiler. When he discovered the vulnerability, he attempted contact with IDenticard to inform it of the problem multiple times. After 45 days with no response, Tenable notified CERT, which also attempted to contact the publisher. After 90 days, the firm had still not responded, so the discovery was publicly disclosed.

Disclosure Timeline

09/18/2018 - Initial Vulnerabilities Discovered. 10/05/2018 - Tenable attempts to contact Identicard via "Contact Us" email form. 10/22/2018 - Additional contact request e-mail sent to Identicard. 10/26/2018 - Tenable makes 3rd contact attempt to vendor (info@identicard.com). 11/06/2018 - Tenable makes 4th contact attempt to vendor (info@identicard.com). 11/19/2018 - Tenable contacts CERT. 11/19/2018 - Auto-response from CERT with VRF#18-11-NGYLM. 11/28/2018 - CERT assigns VU#822605 and inquires about contacting vendor. 11/29/2018 - CERT attempts to contact vendor via info@identicard.com on behalf of Tenable. 12/05/2018 - CERT reports that they have not heard back from the vendor. 12/11/2018 - Tenable attempts final contact with vendor informing them of public disclosure date. 01/04/2019 - Tenable informs CERT of upcoming advisory publication.

01/08/2019 - Tenable publicly discloses vulnerabilities.