Islamabad : Kaspersky has identified numerous flaws in the hybrid biometric terminal produced by International Chinese manufacturer ZKTeco. By adding random user data to the database or using a fake QR code, a nefarious actor can easily bypass the verification process and gain unauthorized access. Attackers can also steal and leak biometric data, remotely manipulate devices, and deploy backdoors. High-security facilities worldwide are at risk if they use this vulnerable device.
The flaws were discovered in the course of Kaspersky Security Assessment experts’ research into the software and hardware of ZKTeco’s white-label devices. All findings were proactively shared with the manufacturer prior to public disclosure.
The biometric readers in question are widely used in areas across diverse sectors – from nuclear or chemical plants to offices and hospitals. These devices support face recognition and QR-code authentication, along with the capacity to store thousands of facial templates. However, the newly discovered vulnerabilities expose them to various attacks.
Attackers can inject specific data into the QR code used for accessing restricted areas. Consequently, they can gain unauthorized access to the terminal and physically access the restricted areas. When the terminal processes a request containing this type of malicious QR code, the database mistakenly identifies it as originating from the most recently authorized legitimate user.
“In addition to replacing the QR code, there is another intriguing physical attack vector. If someone with malicious intent gains access to the device’s database, they can exploit other vulnerabilities to download a legitimate user’s photo, print it, and use it to deceive the device’s camera to gain access to a secured area. This method, of course, has certain limitations. It requires a printed photo, and warmth detection must be turned off. However, it still poses a significant potential threat,” says Georgy Kiguradze, Senior Application Security Specialist at Kaspersky.
Exploiting these vulnerabilities grants a potential attacker access to any file on the system and enables them to extract it. This includes sensitive biometric user data and password hashes to further compromise the corporate credentials. Threat actors can not only access and steal but also remotely alter the database of a biometric reader. “The impact of the discovered vulnerabilities is alarmingly diverse.Attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks. Furthermore, the ability to alter the database weaponizes the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors, Georgy Kiguradze further elaborated, .
To thwart related cyberattacks, Kaspersky advises Isolating biometric reader usage into a separate network segment and employ robust administrator passwords, changing default ones. Consider enabling or adding temperature detection to avoid authorization using a random photo and minimize the use of QR-code functionality, if feasible and update firmware regularly.
