Kaspersky has identified critical vulnerabilities in ZKTeco biometric terminals, exposing them to unauthorized access and data theft. Users are advised to install patches and strengthen security measures to mitigate these risks.
13 June 2024 – Kaspersky has identified significant security flaws in the hybrid biometric terminals manufactured by ZKTeco, an international security device provider. The vulnerabilities were discovered during a comprehensive security assessment of ZKTeco’s white-label devices. These flaws allow malicious actors to bypass verification processes, steal and leak biometric data, remotely manipulate devices, and deploy backdoors, putting high-security facilities at risk worldwide.
The vulnerabilities, classified under specific CVEs (Common Vulnerabilities and Exposures), reveal that attackers can easily gain unauthorized access by adding random user data to the database or using a fake QR code. One critical flaw, CVE-2023-3938, enables SQL injection attacks through malicious QR codes, allowing unauthorized entry by making the terminal’s database recognize the fake code as a legitimate user. Excessive malicious data in these QR codes can even cause the device to restart.
Further vulnerabilities include CVE-2023-3940, which permits arbitrary file reading, potentially exposing sensitive biometric data and password hashes. Similarly, CVE-2023-3942 allows SQL injection attacks to retrieve sensitive information from the device’s database. The CVE-2023-3941 vulnerability enables attackers to upload unauthorized data and replace executable files, creating backdoors and adding unauthorized users to the database.
Additionally, CVE-2023-3939 and CVE-2023-3943 allow the execution of arbitrary commands or code, granting attackers full control of the device. This could facilitate broader attacks on other network nodes within a corporate infrastructure.
Kaspersky’s Senior Application Security Specialist, Georgy Kiguradze, emphasized the diverse impacts of these vulnerabilities. Stolen biometric data could be sold on the dark web, increasing risks of deepfake and social engineering attacks. Manipulating the database could allow unauthorized access to restricted areas and the deployment of backdoors for further infiltration. These vulnerabilities could also enable sophisticated cyberespionage or sabotage attacks.
Kaspersky has shared all findings with ZKTeco and advised users to install patches, isolate biometric readers in separate network segments, employ strong administrator passwords, audit security settings, minimize QR-code functionality, and regularly update firmware.
