Kaspersky has identified numerous flaws in the hybrid biometric terminal produced by international manufacturer ZKTeco. By adding random user data to the database or using a fake QR code, cybercriminals can easily bypass the verification process and gain unauthorised access.
Attackers can also steal and leak biometric data, remotely manipulate devices, and deploy backdoors. High-security facilities worldwide are at risk if they use this vulnerable device.
The flaws were discovered during the course of Kaspersky Security Assessment experts’ research into the software and hardware of ZKTeco’s white-label devices. All findings were proactively shared with the manufacturer prior to public disclosure.
The biometric readers in question are widely used in areas across diverse sectors – from nuclear or chemical plants to offices and hospitals. These devices support face recognition and QR-code authentication along with the capacity to store thousands of facial templates. However, the newly discovered vulnerabilities expose them to various attacks.
Kaspersky grouped the flaws based on the required patches and registered them under specific CVEs (Common Vulnerabilities and Exposures).
Physical bypass via a fake QR code
The CVE-2023-3938 vulnerability allows cybercriminals to perform a cyberattack known as SQL injection which involves inserting malicious code into strings sent to a terminal’s database. Attackers can inject specific data into the QR code used for accessing restricted areas. Consequently, they can gain unauthorised access to the terminal and physically access the restricted areas.
When the terminal processes a request containing this type of malicious QR code, the database mistakenly identifies it as originating from the most recently authorised legitimate user. If the fake QR code contains an excessive amount of malicious data, rather than granting access, the device restarts.
“In addition to replacing the QR code, there is another intriguing physical attack vector,” says Georgy Kiguradze, senior application security specialist at Kaspersky. “If someone with malicious intent gains access to the device’s database they can exploit other vulnerabilities to download a legitimate user’s photo, print it, and use it to deceive the device’s camera to gain access to a secured area. This method, of course, has certain limitations. It requires a printed photo – and warmth detection must be turned off. However, it still poses a significant potential threat.”
Biometric data theft, backdoor deployment and other risks
CVE-2023-3940 are flaws in a software component that permit arbitrary file reading. Exploiting these vulnerabilities grants a potential attacker access to any file on the system and enables them to extract it. This includes sensitive biometric user data and password hashes to further compromise the corporate credentials. Similarly, CVE-2023-3942 provides another way to retrieve sensitive user and system information from the biometry devices’ databases – through SQL injection attacks.
Threat actors can not only access and steal, but also remotely alter the database of a biometric reader by exploiting CVE=2023-3941. This group of vulnerabilities originates from improper verification of user input across multiple system components. Exploiting it allows attackers to upload their own data – such as photos – thereby adding unauthorised individuals to the database. This could enable them to stealthily bypass turnstiles or doors. Another critical feature of this vulnerability enables perpetrators to replace executable files, potentially creating a backdoor.
Successful exploitation of two other groups of new flaws – CVE-2023-3939 and CVE-2023-3943 – enables the execution of arbitrary commands or code on the device, granting the attacker full control with the highest level of privileges. This allows the threat actor to manipulate the device’s operation and leveraging it to launch attacks on other network nodes and expand the offense across a broader corporate infrastructure.
“The impact of the discovered vulnerabilities is alarmingly diverse,” says Kiguradze. “To begin with, attackers can sell stolen biometric data on the dark web subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks. Furthermore, the ability to alter the database weaponises the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors.
“Lastly, some vulnerabilities enable the placement of a backdoor to covertly infiltrate other enterprise networks facilitating the development of sophisticated attacks including cyberespionage or sabotage. All these factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device’s security settings for those using the devices in corporate areas.”