Kaspersky has uncovered multiple critical vulnerabilities in the hybrid biometric terminals produced by ZKTeco, an international manufacturer. These flaws could allow attackers to bypass security measures, gain unauthorized access, and manipulate the devices, posing significant risks to high-security facilities worldwide that utilize these devices.
The security flaws were identified during Kaspersky Security Assessment experts’ comprehensive examination of ZKTeco’s software and hardware. Before making these findings public, Kaspersky proactively shared all the information with ZKTeco.
ZKTeco’s biometric readers are prevalent across diverse sectors, including nuclear and chemical plants, offices, and hospitals. These devices support face recognition and QR-code authentication, capable of storing thousands of facial templates. However, the recently discovered vulnerabilities make them susceptible to various cyberattacks.
Physical Bypass via Fake QR Code
One significant vulnerability, registered as CVE-2023-3938, involves SQL injection, allowing cybercriminals to insert malicious code into the terminal’s database. Attackers can manipulate the QR code used for access, enabling unauthorized entry to restricted areas. When the terminal processes a request containing a malicious QR code, it mistakenly identifies it as a legitimate user. If the fake QR code contains excessive malicious data, the device restarts instead of granting access.
Biometric Data Theft and Remote Manipulation
Other critical flaws, CVE-2023-3940 and CVE-2023-3942, enable arbitrary file reading and SQL injection attacks, respectively. Exploiting these vulnerabilities allows attackers to access and extract sensitive biometric data and password hashes, compromising corporate credentials. Additionally, CVE-2023-3941 allows attackers to alter the database by uploading unauthorized data, such as photos, to bypass security measures.
Further vulnerabilities, CVE-2023-3939 and CVE-2023-3943, enable the execution of arbitrary commands or code on the device. This grants attackers full control, allowing them to manipulate the device’s operation, launch attacks on other network nodes, and expand their reach across broader corporate infrastructures.
Broader Implications
The discovered vulnerabilities have far-reaching implications. Stolen biometric data could be sold on the dark web, increasing the risk of deepfake and sophisticated social engineering attacks. The ability to alter databases weaponizes access control devices, potentially granting unauthorized access to restricted areas. Furthermore, some vulnerabilities enable the placement of backdoors, facilitating covert infiltration of enterprise networks and the development of sophisticated cyberespionage or sabotage attacks.
Call to Action
Given the diverse impacts of these vulnerabilities, it is urgent for users of ZKTeco devices to patch these flaws and thoroughly audit their security settings. At the time of publication, it is unclear whether ZKTeco has issued patches to address these vulnerabilities.
To thwart related cyberattacks, besides installing the patch, Kaspersky advises taking the following steps:
- Isolate biometric reader usage into a separate network segment.
- Employ robust administrator passwords, changing default ones.
- Audit and bolster device’s security settings, fortifying weak defaults. Consider enabling or adding temperature detection to avoid authorization using a random photo.
- Minimize the use of QR-code functionality, if feasible.
- Update firmware regularly.