Kaspersky Lab has identified numerous vulnerabilities in the biometric terminal of the international manufacturer ZKTeco. They can be used to bypass the access control system and physically enter protected areas, as well as to steal biometric data, make changes to databases, and install backdoors.
The biometric readers in question are widely used in a wide variety of industries around the world-from nuclear power plants and manufacturing facilities to offices and healthcare organizations. They support four methods of user authentication: biometric (using a face), password, electronic pass, or QR code. They can store the biometric data of thousands of people. Kaspersky Lab experts grouped all the vulnerabilities found and registered them, first informing the manufacturer about them.
Vulnerability that allows attackers to gain physical access to restricted areas (CVE-2023-3938). One of the groups of vulnerabilities can be used for cyber attacks based on SQL injection. Attackers can embed data in a QR code to access places that cannot be accessed without authorization. If the terminal starts processing a request containing such a malicious QR code, the database mistakenly identifies it as coming from the last authorized legitimate user. Thus, an attack using this type of vulnerability makes it possible to gain unauthorized access to the terminal and physically get into closed zones.
"In addition to replacing the QR code, there is another potential opportunity to "trick" the system and gain access to closed protected areas. If an attacker gains access to the device's database, they can use other vulnerabilities to download a legitimate user's photo, print it out, and use it to trick the device's camera to gain access to the protected area. This method, of course, has certain limitations. The photo must be printed out or displayed on the phone screen, and the thermal sensors on the biometric terminal must be disabled. However, this method still poses a serious threat, " said George Kiguradze, a cybersecurity expert at Kaspersky Lab.
Theft of biometric data, installation of backdoors. Another group of vulnerabilities (CVE-2023-3940) provides a potential attacker with access to any file on the system and the ability to extract it. This means that attackers can gain access to sensitive user biometric data and password hashes, and then compromise corporate credentials. However, the interpretation of stolen biometric data remains extremely difficult.
Another group of vulnerabilities (CVE-2023-3941) allows you to make changes to the biometric reader database. Thus, attackers can upload their own data to it, such as photos, that is, they can add themselves to the list of authorized users and then pass through turnstiles or doors. This group of vulnerabilities also allows you to replace executable files, which potentially makes it possible to create a backdoor.
The other two groups of vulnerabilities (CVE-2023-3939, CVE-2023-3943) allow you to execute arbitrary commands or code on the device, giving the attacker full control with the highest level of privileges. This means that the device can be used to conduct attacks on other network nodes, which means that the entire corporate infrastructure is at risk.
To prevent attacks using the listed vulnerabilities, Kaspersky Lab advises enterprises that use such terminal models: allocate them to a separate network segment; use strong administrator passwords, be sure to replace the default ones; check and strengthen the device's security settings; enable thermal sensors on the biometric terminal to avoid authorization based on a random photo; reduce the risk of unauthorized access to the network. minimize the use of QR codes; update the firmware regularly.
The biometric readers in question are widely used in a wide variety of industries around the world-from nuclear power plants and manufacturing facilities to offices and healthcare organizations. They support four methods of user authentication: biometric (using a face), password, electronic pass, or QR code. They can store the biometric data of thousands of people. Kaspersky Lab experts grouped all the vulnerabilities found and registered them, first informing the manufacturer about them.
Vulnerability that allows attackers to gain physical access to restricted areas (CVE-2023-3938). One of the groups of vulnerabilities can be used for cyber attacks based on SQL injection. Attackers can embed data in a QR code to access places that cannot be accessed without authorization. If the terminal starts processing a request containing such a malicious QR code, the database mistakenly identifies it as coming from the last authorized legitimate user. Thus, an attack using this type of vulnerability makes it possible to gain unauthorized access to the terminal and physically get into closed zones.
"In addition to replacing the QR code, there is another potential opportunity to "trick" the system and gain access to closed protected areas. If an attacker gains access to the device's database, they can use other vulnerabilities to download a legitimate user's photo, print it out, and use it to trick the device's camera to gain access to the protected area. This method, of course, has certain limitations. The photo must be printed out or displayed on the phone screen, and the thermal sensors on the biometric terminal must be disabled. However, this method still poses a serious threat, " said George Kiguradze, a cybersecurity expert at Kaspersky Lab.
Theft of biometric data, installation of backdoors. Another group of vulnerabilities (CVE-2023-3940) provides a potential attacker with access to any file on the system and the ability to extract it. This means that attackers can gain access to sensitive user biometric data and password hashes, and then compromise corporate credentials. However, the interpretation of stolen biometric data remains extremely difficult.
Another group of vulnerabilities (CVE-2023-3941) allows you to make changes to the biometric reader database. Thus, attackers can upload their own data to it, such as photos, that is, they can add themselves to the list of authorized users and then pass through turnstiles or doors. This group of vulnerabilities also allows you to replace executable files, which potentially makes it possible to create a backdoor.
The other two groups of vulnerabilities (CVE-2023-3939, CVE-2023-3943) allow you to execute arbitrary commands or code on the device, giving the attacker full control with the highest level of privileges. This means that the device can be used to conduct attacks on other network nodes, which means that the entire corporate infrastructure is at risk.
To prevent attacks using the listed vulnerabilities, Kaspersky Lab advises enterprises that use such terminal models: allocate them to a separate network segment; use strong administrator passwords, be sure to replace the default ones; check and strengthen the device's security settings; enable thermal sensors on the biometric terminal to avoid authorization based on a random photo; reduce the risk of unauthorized access to the network. minimize the use of QR codes; update the firmware regularly.
