An analysis of a hybrid biometric access system from Chinese manufacturer ZKTeco has uncovered two dozen security flaws that could be used by attackers to defeat authentication, steal biometric data, and even deploy malicious backdoors.
“By adding random user data to the database or using a fake QR code, a nefarious actor can easily bypass the verification process and gain unauthorized access,” Kaspersky said. “Attackers can also steal and leak biometric data, remotely manipulate devices, and deploy backdoors.”
The 24 flaws span six SQL injections, seven stack-based buffer overflows, five command injections, four arbitrary file writes, and two arbitrary file reads. A brief description of each vulnerability type is below –
“The impact of the discovered vulnerabilities is alarmingly diverse,” security researcher Georgy Kiguradze said. “To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks.”
In addition, successful exploitation of the shortcomings could permit nefarious actors to gain access to otherwise restricted zones and even implant backdoors to infiltrate critical networks for cyber espionage or disruptive attacks.
The Russian cybersecurity firm, which identified the flaws following reverse engineering of the firmware (version ZAM170-NF-1.8.25-7354-Ver1.0.0) and the proprietary protocol used to communicate with the device, said it does not have any visibility into whether these issues have been patched.
To mitigate the risk of attacks, it’s recommended to move biometric reader usage into a separate network segment, use robust administrator passwords, improve device security settings, minimize the use of QR codes, and keep systems up-to-date.
“Biometric devices designed to improve physical security can both offer convenient, useful features and introduce new risks for your IT system,” Kaspersky said.
“When advanced technology like biometrics is enclosed in a poorly secured device, this all but cancels out the benefits of biometric authentication. Thus, an insufficiently configured terminal becomes vulnerable to simple attacks, making it easy for an intruder to violate the physical security of the organization’s critical areas.”