In a recent security assessment conducted by Kaspersky experts, significant vulnerabilities were identified in the biometric readers produced by ZKTeco.
These devices, widely used in high-security sectors such as nuclear plants, hospitals, and offices, support advanced authentication methods including facial recognition and QR-code scanning.
According to Kaspersky, these vulnerabilities pose a serious risk, potentially allowing unauthorized access and compromising sensitive data.
Physical Bypass via Malicious QR Codes
One of the critical vulnerabilities, CVE-2023-3938, allows cybercriminals to perform an SQL injection attack by injecting malicious code into QR codes used for accessing restricted areas.
Kaspersky explained that this could enable attackers to “gain unauthorized access to the terminal and physically access the restricted areas.”
When the terminal processes such a malicious QR code, it incorrectly identifies it as coming from an authorized user. If the QR code contains too much malicious data, the device may even restart, adding another layer of disruption.
Biometric Data Theft and Database Manipulation
Another severe vulnerability, CVE-2023-3940, allows attackers to read any file on the system, including sensitive biometric data and password hashes. This could lead to the theft of valuable personal information, which can be sold on the dark web or used for advanced social engineering attacks. Kaspersky also highlighted that CVE-2023-3942 enables attackers to retrieve sensitive data from the device’s database through SQL injection, posing further risks to user data security.
Moreover, CVE-2023-3941 allows for unauthorized data uploading and database alteration, potentially enabling attackers to add themselves as legitimate users or create backdoors for further exploitation. “This could enable them to stealthily bypass turnstiles or doors,” said Georgy Kiguradze, Senior Application Security Specialist at Kaspersky. The ability to alter executable files means that an attacker could install malicious software, thereby gaining persistent access to the system.
Remote Command Execution and System Control
Two other groups of vulnerabilities, CVE-2023-3939 and CVE-2023-3943, permit the execution of arbitrary commands on the device, granting attackers full control.
Attackers could use this capability to manipulate device operations or launch further attacks on other network nodes, potentially compromising an entire corporate infrastructure.
“The impact of the discovered vulnerabilities is alarmingly diverse,” warned Kiguradze, emphasizing the urgent need for security patches and thorough audits of these devices.
The Urgency of Patch Implementation
Despite the severity of these vulnerabilities, Kaspersky has noted that there is currently no accessible data on whether ZKTeco has issued the necessary patches.
This highlights the critical need for organizations using these devices to promptly assess and update their security protocols to mitigate potential risks.
“All these factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device’s security settings for those using the devices in corporate areas,” Kiguradze stressed.