Security Flaws Discovered in ZKTeco Biometric Access System: A Call for Vigilance
A recent analysis conducted by Kaspersky has revealed significant vulnerabilities in a hybrid biometric access system produced by the Chinese manufacturer ZKTeco. The assessment identified two dozen security flaws that could be exploited by cyber adversaries to undermine authentication processes, pilfer biometric information, and potentially introduce malicious backdoors into the system.
The vulnerabilities are particularly concerning as they enable attackers to circumvent security measures with relative ease. A malicious actor could manipulate user data in the database or utilize counterfeit QR codes to gain unauthorized access. Kaspersky highlighted the severity of these vulnerabilities, noting the potential for attackers to not only intercept biometric data but also remotely take control of devices.
The identified flaws comprise a diverse range of issues, including six SQL injection vulnerabilities, seven stack-based buffer overflows, five command injection errors, and anomalies related to arbitrary file writes and reads. For instance, CVE-2023-3938 allows attackers to authenticate as any user in the database using a specially crafted request that exploits an SQL injection when a QR code is displayed to the device’s camera. Similarly, CVE-2023-3939 presents command injection vulnerabilities that could allow attackers to execute arbitrary operating system commands with root privileges, presenting a severe threat to system integrity.
Kaspersky’s analysis also notes the broader implications of these vulnerabilities, warning that compromised biometric data could be offered for sale on the dark web, raising further concerns around targeted social engineering and deepfake attacks. The potential to exploit these weaknesses could also facilitate unauthorized access to secure areas, as well as the installation of backdoors enabling far-reaching cyber-espionage or disruptive actions.
The Russian cybersecurity firm conducted their research through reverse engineering the device’s firmware and examining the proprietary communication protocols. However, they currently have no knowledge regarding whether or not these vulnerabilities have been remediated.
In light of these findings, security experts recommend that businesses segregate the networks utilized by biometric readers, enforce strong administrative password policies, enhance device security configurations, minimize reliance on QR codes, and keep systems regularly updated to counteract potential threats.
Kaspersky cautioned that despite the benefits biometric systems provide for physical security, poorly secured devices may expose organizations to greater risk. Inadequately configured terminals could undermine the advantages of biometric authentication, creating vulnerabilities that intruders could easily exploit to breach secure areas within a business.
Given these revelations and potential attack vectors, including techniques like initial access, privilege escalation, and persistence as described in the MITRE ATT&CK framework, business leaders must take proactive measures to secure their biometric systems. With cyber threats evolving constantly, staying informed and prepared is crucial to safeguarding sensitive information and ensuring the overall security of organizational assets.
For continued updates on cybersecurity issues and proactive measures, professionals are encouraged to engage with trusted sources and remain vigilant against emerging threats within this dynamic landscape.
