Kaspersky Lab specialists spoke about the discovery numerous vulnerabilities in the biometric terminal of the manufacturer ZKTeco. Problems could be used to bypass access control systems and physically enter protected areas, as well as to steal biometric data, make changes to databases and install backdoors.
The biometric readers studied by the researchers are widely used in a variety of industries around the world, from nuclear power plants and manufacturing to offices and healthcare organizations.
The devices support four methods of user authentication: biometric (using a face), password, electronic badge or QR code, and can store the biometric data of thousands of people.
One of the most serious problems was a group of vulnerabilities that allowed attackers to gain physical access to restricted areas (CVE-2023-3938) related to SQL injections.
Attackers can embed data in a QR code to gain access to places that cannot be reached without authorization. If the terminal starts processing a request containing such a malicious QR code, the database will mistakenly identify it as coming from the last authorized legitimate user. Ultimately, the attack will give the hacker the opportunity to physically penetrate restricted areas.
“In addition to replacing the QR code, there is another potential opportunity to “deceive” the system and gain access to closed protected areas. If an attacker gains access to a device's database, they can exploit other vulnerabilities to download a photo of a legitimate user, print it, and use it to trick the device's camera into gaining access to a secured area. This method, of course, has certain limitations. The photo must be printed or displayed on the phone screen, and the thermal sensors on the biometric terminal must be disabled. However, this method still poses a serious threat,” says Georgy Kiguradze, a cybersecurity expert at Kaspersky Lab.
Another group of vulnerabilities (CVE-2023-3940) is associated with the theft of biometric data and the installation of backdoors. Thus, a potential attacker can gain access to any file on the system and extract it. This means that attackers will have access to sensitive user biometrics and password hashes and can later compromise corporate credentials, although interpreting stolen biometrics remains extremely challenging.
Another group of vulnerabilities (CVE-2023-3941) allows you to make changes to the biometric reader database. As a result, attackers can upload their own data (for example, photographs) into the database and independently add themselves to the list of authorized users, and then pass through turnstiles or doors. This group of vulnerabilities also allows executable files to be replaced, potentially making it possible to create a backdoor.
Other groups of vulnerabilities (CVE-2023-3939, CVE-2023-3943) allow the execution of arbitrary commands or code on the device, giving attackers full control with the highest level of privileges. This means that the device can be used to carry out attacks on other network nodes, meaning the entire corporate infrastructure is at risk.
In total, researchers discovered 24 vulnerabilities in ZKTeco biometric terminals:
- 6 SQL injections;
- 7 stack buffer overflows;
- 5 command injections;
- 4 entries of arbitrary files;
- 2 reading arbitrary files.
Experts combined all the vulnerabilities found into groups (many of them were similar to each other because they arose due to an error in one place inside the library that serves as a “wrapper” for the database) and registered them, having first reported the problems to the manufacturer.