Identity & Access Management , Security Operations
Chinese-Made Biometric Access System Has 24 Vulnerabilities
Kaspersky Unveils 24 Flaws in ZKTeco TerminalsA promise of better security through biometrics fell short after security researchers dismantled an access system made by a Chinese manufacturer and discovered that it contained 24 vulnerabilities.
See Also: Cloud Security & Compliance For Dummies
Researchers from Kaspersky examined a biometric access system made by Chinese manufacturer ZKTeco that accepts facial scans as well as passwords, QR codes and an electronic card as authentication methods. The device has different names, depending on its distributor.
One critical flaw, tracked as CVE-2023-3938, enables cybercriminals to perform an SQL attack, injecting malicious code into a terminal's database via QR code in order to obtain unauthorized access to presumably restricted areas. When the terminal processes a malicious QR code, it mistakenly identifies it as coming from a legitimate user. An excess of malicious data causes the device to restart.
"In addition to replacing the QR code, there is another intriguing physical attack vector," said Georgy Kiguradze, senior application security specialist at Kaspersky. "If someone with malicious intent gains access to the device's database, they can exploit other vulnerabilities to download a legitimate user's photo, print it, and use it to deceive the device's camera to gain access to a secured area."
Kiguradze said that this method has limitations. It requires a printed photo, and warmth detection must be turned off. But it still poses a significant potential threat, he said.
Many of the vulnerabilities uncovered originate from an error in the database wrapper library. Researchers grouped these as "multiple vulnerabilities" based on their type and cause, leading to a smaller number of CVEs. The CVEs include:
- 6 SQL injection vulnerabilities
- 7 buffer stack overflow vulnerabilities
- 5 command injection vulnerabilities
- 4 arbitrary file write vulnerabilities
- 2 arbitrary file read vulnerabilities
Another serious vulnerability is CVE-2023-3941 which allows attackers to remotely alter the database of a biometric reader. Improper verification of user input across multiple system components enables attackers to upload their data, such as photos, adding unauthorized individuals to the database. This flaw also permits the replacement of executable files, creating a potential backdoor.
A vulnerability tracked as CVE-2023-3940 involves flaws in a software component that allow arbitrary file reading, granting attackers access to sensitive biometric data and password hashes.
CVE-2023-3942 allows attackers to retrieve sensitive information from the devices' databases via SQL injection.
The ability to execute arbitrary commands or code on the device, facilitated by CVE-2023-3939 and CVE-2023-3943, grants attackers full control with the highest level of privileges. This control enables them to manipulate the device's operation, launch attacks on other network nodes, and expand the offense across a broader corporate infrastructure.
"The impact of the discovered vulnerabilities is alarmingly diverse," Kiguradze said. "To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks. Furthermore, the ability to alter the database weaponizes the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors."
Kiguradze said that some vulnerabilities enable the placement of a backdoor to covertly infiltrate other enterprise networks, facilitating the development of sophisticated attacks, including cyberespionage or sabotage.
To mitigate these risks, Kaspersky advised isolating biometric reader usage into a separate network segment, employing robust administrator passwords, auditing and bolstering device security settings, minimizing QR code functionality, and updating firmware.