IBM interns find 19 vulnerabilities in corporate check-in systems

Two university students who work for IBM’s red-teaming unit have found 19 previously undisclosed flaws in the automated systems that companies use to check visitors into their facilities.
IBM X-Force Red interns
IBM X-Force Red interns — including Hannah Robbins and Scott Brink — at work in a lab in Austin. (IBM)

A pair of precocious interns at IBM’s red-teaming unit has found 19 previously undisclosed vulnerabilities in the automated systems that companies use to check visitors into their facilities.

A hacker exploiting the security flaws could access visitor logs, contact information, and other company data, and use that access to go after corporate networks, the IBM X-Force Red researchers said.

The study of five popular visitor-management systems is a warning of the risk of automating common societal tasks without security precautions. These systems are supplanting security guards as an efficient way of enabling access to a building, and apparent negligence in their architecture leaves them vulnerable.

The interns, Hanna Robbins and Scott Brink, are students at the University of Tulsa and the Rochester Institute of Technology, respectively, according to their LinkedIn profiles. Robbins and Brink found default administrative login credentials that would give attackers complete control of a visitor-management application. They also uncovered software flaws that could let a hacker use Windows shortcut keys and dialogue boxes to wrest control of the application.


The data held by the visitor systems could be of interest to corporate competitors or foreign intelligence agencies intent on economic espionage.

“Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect,” IBM’s Daniel Crowley wrote in a blog post Monday.

Several of the affected vendors have already patched their software or are planning to, IBM said. If no patch is coming for certain software, companies should determine how exploitable a vulnerability is and work to isolate affected systems from others, Crowley advised.

The research points to the need to shore up security in visitor management systems as they continue to proliferate. The global market for these check-in kiosks is expected to grow from $824 million in 2018 to $1.3 billion in 2025, according to

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts