International. Kaspersky has identified numerous flaws in the hybrid biometric terminal produced by the international manufacturer ZKTeco. By adding random user data to the database or using a fake QR code, an actor can bypass the verification process and gain unauthorized access.
The company said attackers can also steal and exfiltrate biometric data, manipulate devices remotely, and deploy backdoors. High-security facilities around the world are at risk if they use this vulnerable device.
The flaws were discovered during an investigation by Kaspersky Security Assessment experts into the software and hardware of ZKTeco's white-label devices. All findings were proactively shared with the manufacturer prior to public disclosure.
The biometric readers in question are widely used in areas of various sectors, from nuclear or chemical plants to offices and hospitals. These devices support facial recognition and QR code authentication, in addition to the ability to store thousands of facial templates. However, the newly discovered vulnerabilities expose them to various attacks. Kaspersky grouped the flaws according to the required patches and logged them into specific CVEs (common vulnerabilities and exposures).
Physical bypass using a fake QR code
The CVE-2023-3938 vulnerability allows cybercriminals to perform a cyberattack known as SQL injection, which involves inserting malicious code into strings sent to a terminal's database. Attackers can inject specific data into the QR code used to access restricted areas. Consequently, they can gain unauthorized access to the terminal and physically access the restricted areas.
When the endpoint processes a request containing this type of malicious QR code, the database mistakenly identifies it as coming from the most recently authorized legitimate user. If the fake QR code contains an excessive amount of malicious data, instead of granting access, the device reboots.
"In addition to replacing the QR code, there is another intriguing physical attack vector. If someone with malicious intent gains access to the device's database, they can exploit other vulnerabilities to download a legitimate user's photo, print it, and use it to trick the device's camera and gain access to a secure area. This method, of course, has certain limitations. Requires a printed photograph and warmth detection must be turned off. However, it still poses a significant potential threat," says Georgy Kiguradze, Senior Application Security Specialist at Kaspersky.
Biometric data theft, backdoor implementation, and other risks
CVE-2023-3940 are flaws in a software component that allow arbitrary file reading. Exploiting these vulnerabilities grants a potential attacker access to any file on the system and allows them to extract it. This includes sensitive user biometric data and password hashes to further compromise corporate credentials. Similarly, CVE-2023-3942 provides another way to recover sensitive system and user information from biometric device databases: using SQL injection attacks.
Threat actors can not only access and steal, but also remotely alter a biometric reader's database by exploiting CVE-2023-3941. This group of vulnerabilities originates from improper verification of user input on multiple system components. Exploiting it allows attackers to upload their own data, such as photographs, thus adding unauthorized people to the database. This could allow them to stealthily get around turnstiles or gates. Another critical feature of this vulnerability allows perpetrators to replace executable files, potentially creating a backdoor.
The successful exploitation of two other groups of new flaws (CVE-2023-3939 and CVE-2023-3943) allows the execution of arbitrary commands or codes on the device, granting the attacker full control with the highest level of privileges. This allows the threat actor to manipulate the operation of the device, leveraging it to launch attacks on other nodes on the network and expand the offensive across a broader corporate infrastructure.
"The impact of the vulnerabilities discovered is alarmingly diverse. For starters, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to greater risks of sophisticated attacks and social engineering. In addition, the ability to tamper with the database weaponizes the original purpose of access control devices, potentially granting access to restricted areas to nefarious actors. Finally, some vulnerabilities allow the placement of a backdoor to covertly infiltrate other enterprise networks, facilitating the development of sophisticated attacks, including cyberespionage or sabotage. All these factors underscore the urgency of fixing these vulnerabilities and thoroughly auditing the device's security settings for those who use them in corporate areas," explains Georgy Kiguradze.
At the time of publishing the information about the vulnerability, Kaspersky lacked accessible data on whether the patches have been issued. To thwart related cyberattacks, in addition to installing the patch, Kaspersky recommends following the following steps:
- Isolate the use of the biometric reader on a separate network segment.
- Use strong admin passwords and change the default ones.
- Audit and strengthen device security settings, strengthening weak defaults. Consider enabling or adding temperature detection to prevent authorization using a random photo.
- Minimize the use of QR code functionality, if possible.
- Update the firmware periodically.
