Cybersecurity researchers at Kaspersky Lab have uncovered 24 vulnerabilities within biometric access systems manufactured by ZKTeco, a major Chinese provider. These access systems, used for facial recognition and entry control, are susceptible to a wide range of malicious attacks, putting sensitive data and physical security at risk.
Kaspersky Security Assessment experts identified multiple vulnerabilities in ZKTeco‘s white-label biometric readers, which support face recognition and QR-code authentication. These include six SQL injection vulnerabilities, seven buffer stack overflow vulnerabilities, five command injection vulnerabilities, four arbitrary file write vulnerabilities, and two arbitrary file read vulnerabilities.
Details of the most dangerous vulnerabilities
- CVE-2023-3938: One of the flaws, CVE-2023-3938, allows cybercriminals to inject malicious code into a terminal’s database via QR code, allowing unauthorized access to restricted areas.
- CVE-2023-3940: CVE-2023-3940 allows arbitrary file reading, letting attackers access sensitive biometric user data and password hashes, compromising corporate credentials.
- CVE-2023-3942: CVE-2023-3942 allows for SQL injection attacks to retrieve sensitive user and system information from biometry devices’ databases.
- CVE-2023-3941: CVE-2023-3941 allows attackers to access, steal, and remotely alter a biometric reader’s database due to improper user input verification across multiple system components. Attackers can upload personal data, add unauthorized individuals, bypass turnstiles or doors, and replace executable files, potentially creating a backdoor.
- CVE-2023-3939 – CVE-2023-3943: Two other flaws, CVE-2023-3939 and CVE-2023-3943, can be exploited to execute arbitrary commands or code on a device, granting attackers full control and enabling them to manipulate the device’s operation, launch attacks on other network nodes, and expand the offense across a broader corporate infrastructure.
Some of the impacted devices include ZkTeco-based OEM devices, including ZkTeco ProFace X, Smartec ST-FR043, and Smartec ST-FR041ME with the ZAM170-NF-1.8.25-7354-Ver1.0.0. The devices are used in various sectors, including nuclear and chemical plants, offices, and hospitals.
According to the company’s press release, Kaspersky’s senior application security specialist, Georgy Kiguradze, notes that these vulnerabilities raise concerns about the potential for deepfake and social engineering attacks.
Additionally, database alteration can weaponize devices, expose restricted areas, and even allow backdoors to covertly infiltrate other networks, facilitating cyberespionage or sabotage. This highlights the need for patching and thorough security audits for corporate users.
The vulnerabilities were proactively shared with the manufacturer before public disclosure and patches are awaited. Until a patch becomes available, organizations must identify and isolate vulnerable systems, implement multi-factor authentication, conduct regular security audits, update firmware, and temporarily remove vulnerable ZKTeco systems.
RELATED TOPICS
- China Installs Facial Recognition System in Public Toilets
- Software in the FBI’s biometric database contains Russian code
- Chinese facial recognition database tracking Muslims left exposed
- Data Leak Exposes 500 GB of Indian Police, Military Biometric Data
- Chinese Police locate suspect in a crowd of 60K with Facial Recognition