Cybersecurity solutions provider Kaspersky has revealed a series of vulnerabilities in the hybrid biometric terminals produced by ZKTeco, an international security device manufacturer.
These flaws, discovered during a routine assessment by Kaspersky’s security experts, pose significant risks to the security of facilities utilizing these devices. The vulnerabilities allow unauthorized access, data theft, and remote device manipulation, compromising security across various sectors worldwide.
The affected biometric readers, capable of face recognition and QR-code authentication, are employed in high-security environments such as nuclear plants, corporate offices, and hospitals. Kaspersky’s findings, shared with ZKTeco before public disclosure, categorize these vulnerabilities under specific CVEs (Common Vulnerabilities and Exposures).
Key Vulnerabilities:
- CVE-2023-3938: Allows cybercriminals to execute SQL injection attacks by embedding malicious code in QR codes. This can enable unauthorized access by tricking the system into treating the malicious data as legitimate. Overloading the QR code data can cause the device to restart instead of granting access.
- CVE-2023-3940: Flaws in the software that permit reading arbitrary files. Attackers can exploit these to extract sensitive biometric data and password hashes, further compromising system security.
- CVE-2023-3941: Inadequate input verification allows attackers to upload data like unauthorized photos into the database, effectively bypassing security protocols.
- CVE-2023-3942: Similar to CVE-2023-3938, this allows SQL injection to retrieve sensitive information from the device’s database.
- CVE-2023-3939 and CVE-2023-3943: These allow the execution of arbitrary commands or code on the device, giving attackers full control and the ability to manipulate device operations or launch further attacks on networked systems.
“Attackers can sell stolen biometric data on the dark web, risking deepfake and social engineering attacks,” said Georgy Kiguradze, a senior application security specialist at Kaspersky. They can also manipulate databases to grant unauthorized access to secure areas or install backdoors for cyberespionage.”
At the time of reporting, it is unclear if ZKTeco has released patches to address these issues. To mitigate the risks, Kaspersky recommends isolating biometric readers into separate network segments, using strong administrator passwords, regularly updating firmware, and minimizing the use of QR-code authentication where possible.
Kaspersky urges users of ZKTeco devices to audit and strengthen their security settings to protect against potential threats.