Kaspersky finds 24 vulnerabilities in biometric access systems

June 2024 Information Security

Kaspersky has identified numerous flaws in the hybrid biometric terminal produced by international manufacturer ZKTeco. A nefarious actor can bypass the verification process and gain unauthorised access by adding random user data to the database or using a fake QR code. Attackers can also steal and leak biometric data, remotely manipulate devices, and deploy backdoors. High-security facilities worldwide are at risk if they use this vulnerable device.

The flaws were discovered during Kaspersky Security Assessment experts’ research into the software and hardware of ZKTeco’s white-label devices. All findings were proactively shared with the manufacturer before public disclosure.

The biometric readers in question are widely used in diverse sectors – from nuclear or chemical plants to offices and hospitals. These devices support face recognition and QR-code authentication and can store thousands of facial templates. However, the newly discovered vulnerabilities expose them to various attacks. Kaspersky grouped the flaws based on the required patches and registered them under specific CVEs (Common Vulnerabilities and Exposures).

Physical bypass via a fake QR code

The CVE-2023-3938 vulnerability allows cybercriminals to perform a cyberattack known as SQL injection, which involves inserting malicious code into strings sent to a terminal’s database. Attackers can inject specific data into the QR code used to access restricted areas. Consequently, they can gain unauthorised access to the terminal and physically access the restricted areas.

When the terminal processes a request containing this type of malicious QR code, the database mistakenly identifies it as originating from the most recently authorised legitimate user. If the fake QR code contains an excessive amount of malicious data, rather than granting access, the device restarts.

“In addition to replacing the QR code, there is another intriguing physical attack vector. If someone with malicious intent gains access to the device’s database, they can exploit other vulnerabilities to download a legitimate user’s photo, print it, and use it to deceive the device’s camera to gain access to a secured area. This method, of course, has certain limitations. It requires a printed photo, and warmth detection must be turned off. However, it still poses a significant potential threat,” says Georgy Kiguradze, Senior Application Security Specialist at Kaspersky.

Biometric data theft, backdoor deployment, and other risks

CVE-2023-3940 are flaws in a software component that permit arbitrary file reading. Exploiting these vulnerabilities grants a potential attacker access to any file on the system and enables them to extract it. This includes sensitive biometric user data and password hashes to further compromise the corporate credentials. Similarly, CVE-2023-3942 provides another way to retrieve sensitive user and system information from the biometry devices’ databases – through SQL injection attacks.

Threat actors can not only access and steal, but also remotely alter the database of a biometric reader by exploiting CVE-2023-3941. This group of vulnerabilities originates from improper verification of user input across multiple system components. Exploiting it allows attackers to upload their own data, such as photos, thereby adding unauthorised individuals to the database. This could enable them to stealthily bypass turnstiles or doors. Another critical feature of this vulnerability enables perpetrators to replace executable files, potentially creating a backdoor.

Successful exploitation of two other groups of new flaws – CVE-2023-3939 and CVE-2023-3943 – enables the execution of arbitrary commands or code on the device, granting the attacker full control with the highest level of privileges. This allows the threat actor to manipulate the device’s operation, leveraging it to launch attacks on other network nodes and expand the offence across a broader corporate infrastructure.

“The impact of the discovered vulnerabilities is alarmingly diverse. To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks. Furthermore, the ability to alter the database weaponises the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors. Lastly, some vulnerabilities enable the placement of a backdoor to covertly infiltrate other enterprise networks, facilitating the development of sophisticated attacks, including cyberespionage or sabotage. All these factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device's security settings for those using the devices in corporate areas,” elaborates Kiguradze.

To thwart related cyberattacks, besides installing the patch, Kaspersky advises taking the following steps:

• Isolate biometric reader usage into a separate network segment.

• Employ robust administrator passwords, changing default ones.

• Audit and bolster devices' security settings, fortifying weak defaults. Consider enabling or adding temperature detection to avoid authorisation using a random photo.

• Minimise the use of QR-code functionality, if feasible.

• Update firmware regularly.

Learn more on Securelist.com.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

SMART and secure estates in Cape Town
Technews Publishing Axis Communications SA Gallagher DeepAlert Nemtek Electric Fencing Products Editor's Choice
In February 2024, SMART Security Solutions emigrated to the Western Cape to host its first SMART Estate Security Conference in the region in many years. For the day, we took over the prestigious D’Aria Wine Estate.

Integrated, mobile access control
SA Technologies Entry Pro Technews Publishing Access Control & Identity Management
SMART Security Solutions spoke to SA Technologies to learn more about what is happening in the estate access world and what the company offers the residential estate market.

New ransomware using BitLocker to encrypt data
Technews Publishing Information Security Residential Estate (Industry)
Kaspersky has identified ransomware attacks using Microsoft’s BitLocker to attempt encryption of corporate files. It can detect specific Windows versions and enable BitLocker according to those versions.

SMART Estate Security returns to KZN
Nemtek Electric Fencing Products Technews Publishing Axis Communications SA OneSpace Editor's Choice News & Events Integrated Solutions IoT & Automation
The second SMART Estate Security Conference of 2024 was held in May in KwaZulu-Natal at the Mount Edgecombe Estate Conference Centre, which is located on the Estate’s pristine golf course.

Creating employment through entrepreneurship
Technews Publishing Marathon Consulting Editor's Choice Integrated Solutions Residential Estate (Industry)
Eduardo Takacs’s journey is a testament to bona fide entrepreneurial resilience, making him stand out in a country desperate for resilient businesses in the small and medium enterprise space that can create employment opportunities.

From the editor's desk: Just gooi a cable
Technews Publishing News & Events
      Welcome to the 2024 edition of the SMART Estate Security Handbook. We focus on a host of topics, and this year’s issue also has a larger-than-normal Product Showcase section. Perhaps the vendors are ...

Create order from chaos
Information Security
The task of managing and interpreting vast amounts of data is akin to finding a needle in a haystack. Cyberthreats are growing in complexity and frequency, demanding sophisticated solutions that not only detect, but also prevent, malicious activities effectively.

Trend Micro launches first security solutions for consumer AI PCs
Information Security News & Events
Trend Micro unveiled its first consumer security solutions tailored to safeguard against emerging threats in the era of AI PCs. Trend will bring these advanced capabilities to consumers in late 2024.

Responsible AI boosts software security
Information Security
While the prevalence of high-severity security flaws in applications has dropped slightly in recent years, the risks posed by software vulnerabilities remain high, and remediating these vulnerabilities could hinder new application development.

AI and ransomware: cutting through the hype
AI & Data Analytics Information Security
It might be the great paradox of 2024: artificial intelligence (AI). Everyone is bored of hearing it, but we cannot stop talking about it. It is not going away, so we had better get used to it.