Security News > 2021 > December > Garrett Walk-Through Metal Detectors Can Be Hacked Remotely

A number of security flaws have been uncovered in a networking component in Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, tamper with metal detector configurations, and even execute arbitrary code on the devices.

"An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through," Cisco Talos noted in a disclosure publicized last week.

"They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors."

The flaws reside in Garrett iC Module, which enables users to communicate to walk-through metal detectors like Garrett PD 6500i or Garrett MZ 6100 using a computer through the network, either wired or wirelessly.

CVE-2021-21901, CVE-2021-21903, CVE-2021-21905, and CVE-2021-21906 - Stack-based buffer overflow vulnerabilities that can be triggered by sending a malicious packet to the device.

Successful exploitation of the aforementioned flaws in iC Module CMA version 5.0 could allow an attacker to hijack an authenticated user's session, read, write, or delete arbitrary files on the device, and worse, lead to remote code execution.

News URL

https://thehackernews.com/2021/12/garrett-walk-through-metal-detectors.html