Security researchers at Cisco Talos recently discovered multiple software flaws in commonly used walk-through metal detectors. If exploited, hackers could manipulate the device’s configuration, mess with its functionality, and even execute arbitrary code.
Walk-Through Metal Detectors Increase Security
Walk-through metal detectors use magnetic fields to detect metal when someone or something passes through them. They are commonly used at sporting events and concerts, and in government buildings, schools, and airports. The latest models not only sound an alarm, but can also pinpoint in which “zone” the metal object is located.
The manufacturer of the devices in question, Garrett, is the industry leader in metal detectors. They first began selling and marketing handheld devices in 1964. In the early eighties, organizers of the Olympic Games in LA asked Garrett to develop walk-through metal detectors to increase security at the Olympics, following the tragedy of the 1972 Munich Games.
Current models are much more accurate and offer enhanced access control. Users can also connect them to a group or network. Garrett designed the newest PD 6500i and Garrett MZ 6100 with maximum security in mind. The PD 6500i, for example, meets the world’s highest test certifications, addressing security concerns of the largest international airports.
Nine Software Flaws Found
Nevertheless, security researchers at Cisco Talos recently discovered a total of nine software vulnerabilities in both popular models. The vulnerabilities specifically exist in the Garrett iC module, which provides network connectivity. It also allows control, real-time monitoring, and diagnostics from a remote location.
By exploiting the vulnerabilities, cybercriminals could severely disrupt the devices’ functionality and even execute arbitrary code. In this way, they could run any command or malignant code on a target system and enable high-level privileges.
“An attacker could manipulate this [iC] module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through,” explained Matt Wiseman of Cisco Talos. “They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors.”
Vulnerabilities Can Be Mitigated
A set of CVEs officially track the vulnerabilities. The most severe vulnerabilities (CVE-2021-21901 and CVE-2021-21903) in the module allow an unauthenticated attacker to cause a buffer overflow by sending a specially crafted packet to the device, which in turn allows attackers to execute remote code. The impact score of these two vulnerabilities amounts to a 9.8 on a scale of 1 to 10.
The remaining seven vulnerabilities (CVE-2021-21905, CVE-2021-21906, CVE-2021-21904, CVE-2021-21907, CVE-2021-21908, CVE-2021-21909, and CVE-2021-21902) allow remote code execution, session hijacking, and path traversal. However, they have a lower impact score.
Cisco notified the manufacturer about the vulnerabilities on August 17, 2021. Consequently, Garrett made security updates available on December 13, 2021. Yesterday, Cisco made the details of the software flaws public. Users can mitigate the security flaws by updating the firmware of their iC modules to the latest version.