An analysis of a hybrid biometric access system from Chinese manufacturer ZKTeco has uncovered two dozen security flaws that could be used by attackers to defeat authentication, steal biometric data, and even deploy malicious backdoors.
"By adding random user data to the database or using a fake QR code, a nefarious actor can easily bypass the verification process and gain unauthorized access," Kaspersky said. "Attackers can also steal and leak biometric data, remotely manipulate devices, and deploy backdoors."
The 24 flaws span six SQL injections, seven stack-based buffer overflows, five command injections, four arbitrary file writes, and two arbitrary file reads. A brief description of each vulnerability type is below -
- CVE-2023-3938 (CVSS score: 4.6) - An SQL injection flaw when displaying a QR code into the device's camera by passing a specially crafted request containing a quotation mark, thereby allowing an attacker to authenticate as any user in the database
- CVE-2023-3939 (CVSS score: 10.0) - A set of command injection flaws that allows for execution of arbitrary OS commands with root privileges
- CVE-2023-3940 (CVSS score: 7.5) - A set of arbitrary file read flaws that allows an attacker to bypass security checks and access any file on the system, including sensitive user data and system settings
- CVE-2023-3941 (CVSS score: 10.0) - A set of arbitrary file write flaws that allows an attacker to write any file on the system with root privileges, including altering the user database to add rogue users
- CVE-2023-3942 (CVSS score: 7.5) - A set of SQL injection flaws that allows an attacker to inject malicious SQL code and perform unauthorized database operations and siphon sensitive data
- CVE-2023-3943 (CVSS score: 10.0) - A set of stack-based buffer overflow flaws that allows an attacker to execute arbitrary code
"The impact of the discovered vulnerabilities is alarmingly diverse," security researcher Georgy Kiguradze said. "To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks."
In addition, successful exploitation of the shortcomings could permit nefarious actors to gain access to otherwise restricted zones and even implant backdoors to infiltrate critical networks for cyber espionage or disruptive attacks.
The Russian cybersecurity firm, which identified the flaws following reverse engineering of the firmware (version ZAM170-NF-1.8.25-7354-Ver1.0.0) and the proprietary protocol used to communicate with the device, said it does not have any visibility into whether these issues have been patched.
To mitigate the risk of attacks, it's recommended to move biometric reader usage into a separate network segment, use robust administrator passwords, improve device security settings, minimize the use of QR codes, and keep systems up-to-date.
"Biometric devices designed to improve physical security can both offer convenient, useful features and introduce new risks for your IT system," Kaspersky said.
"When advanced technology like biometrics is enclosed in a poorly secured device, this all but cancels out the benefits of biometric authentication. Thus, an insufficiently configured terminal becomes vulnerable to simple attacks, making it easy for an intruder to violate the physical security of the organization's critical areas."