Ensuring Robust Security for Critical Access with Alfapass

The Challenge: Fortifying a Complex, Critical Ecosystem

Alfapass plays a pivotal role in ensuring secure and efficient access within vital logistics hubs like ports. Their intricate ecosystem relies on a seamless blend of mobile applications, smartcard technology, kiosk systems, pre-registration portals, and identity management, all designed to manage access for thousands of individuals daily.

With such a critical function, any security vulnerability could have far-reaching consequences, compromising data integrity, operational continuity, and physical security. Alfapass needed an expert cybersecurity partner to rigorously test their entire digital footprint, identify potential weaknesses, and ensure their systems could withstand sophisticated attacks. They sought deep insights into the security posture of:

• Their MyAlfapass mobile application, a key user interface.
• The entire Smartcard personalization flow, SDK, and associated Cloud Service, which underpins their physical access control.
• Their Oribi kiosks, crucial for on-site registration and data handling.
• The Prean pre-registration application, managing user and company data.
• Keycloak, their central identity and access management solution.

The Cyrex Solution: Multi-Layered Penetration Testing

Cyrex deployed a specialized team of penetration testers to conduct a highly detailed and multi-faceted security assessment across Alfapass’s diverse technological stack. Our approach was designed to mimic real-world attack scenarios, providing Alfapass with a true understanding of their resilience against cyber threats.

Our comprehensive penetration testing services covered:

MyAlfapass Mobile Application Security

• Thorough testing of the mobile application for common vulnerabilities, secure data handling, and backend API interactions.

Smartcard Personalization & Cloud Service Security

• In-depth analysis of the smartcard personalization flow, including the SDK and its integration with the backend cloud service, focusing on data integrity, sensitive information handling, and potential manipulation.

Oribi Kiosk Vulnerability Assessment

• Data Leakage Analysis: Investigating the kiosks for any potential exposure of sensitive information.
• Network Segregation: Determining if any connection existed between test and production kiosks, a common risk for unauthorized access.
• General Vulnerability Assessment: Identifying broader security weaknesses within the kiosk software and configuration.

Prean Pre-registration Application Security

• Flow Validation: Rigorous testing of pre-registration workflows for bypasses or logic flaws.
• User & Company Management: Assessing the security of administrative functions related to user and company data.
• Role-Based Access Control (RBAC): Granular validation from the perspective of four different company types and five user roles to ensure correct permissions.
• Data Leakage Validation: Probing for unauthorized access to sensitive user or company data.
• Authentication & Authorization: Comprehensive testing for bypasses, weak points, and privilege escalation vulnerabilities.
• General Web Application Security: A holistic vulnerability assessment covering OWASP Top 10 and other critical web security concerns.

Keycloak Identity & Access Management Security

• Configuration Validation: Reviewing the Keycloak API and admin interface for misconfigurations or exposed functionalities.
• OAuth Implementation Testing: Validating various OAuth implementations used across MyAlfapass, Alfapass Online, and GVS, specifically targeting:
  • Authentication Bypasses: Attempting to circumvent the login process.
  • User Spoofing: Trying to impersonate legitimate users.
  • Misconfigurations: Uncovering any insecure default settings or custom errors that could be exploited.

The Outcome: Uncompromised Security for Critical Operations

Through Cyrex’s diligent and expert penetration testing, Alfapass gained invaluable insights into the security posture of their entire digital infrastructure. We successfully identified and helped remediate potential vulnerabilities across their mobile app, smartcard systems, kiosks, pre-registration, and identity management.

The detailed reports, complete with actionable recommendations, empowered Alfapass to:

• Proactively strengthen their defenses against sophisticated cyberattacks.
• Ensure the integrity and confidentiality of sensitive user and operational data.
• Validate the robust access control mechanisms critical for their secure logistics environment.
• Maintain uninterrupted operations by preemptively addressing potential security weak points.
• Increase confidence in their secure access solutions, underpinning their reputation as a reliable partner in critical infrastructure management.

By partnering with Cyrex, Alfapass reinforced their commitment to security, ensuring their systems remained resilient, trusted, and ready to facilitate secure access for the future.

Ready to fortify your critical digital infrastructure?

Contact Cyrex Today for a Consultation on Your Security Needs!