FB pixel

Kaspersky finds critical vulnerabilities in ZKTeco biometric access control terminal

Kaspersky finds critical vulnerabilities in ZKTeco biometric access control terminal

Kaspersky says there is a set of cybersecurity vulnerabilities in biometric access control terminals from ZKTeco that could allow malicious actors to bypass verification to gain unauthorized access, steal biometric data, and even deploy backdoors to user networks.

The hybrid biometric terminal is a white-label product sold under different names by different distributors, according to Kaspersky’s announcement. It enables access control via authentication with face biometrics or QR codes. They are used in many environments, Kaspersky says, including high-security facilities like nuclear power plants, and they can store thousands of facial templates.

ZKTeco is among the largest suppliers of biometric access control hardware in the world, with subsidiaries in several countries and ties to Armatura.

Five sets of vulnerabilities, 24 in total, have been registered as Common Vulnerabilities and Exposures (CVEs) by Kaspersky. CVE-2023-3938 through CVE-2023-3943 could allow criminals to defeat or misuse ZKTeco biometric access control systems in several ways.

The first allows SQL injection attacks, which can in turn be used to impersonate the most recent legitimate user, restart the device, or in combination with other vulnerabilities, download enrolled users’ photos and reuse them for presentation attacks. ZKTeco’s terminal includes warmth detection as a defense against presentation attacks, but a Kaspersky analyst says it is still a threat with significant potential.

Another vulnerability allows attackers to read or extract any file in the system, including biometric data and password hashes. A third allows the retrieval of sensitive information on users and the system, also through SQL injections.

The biometric database can be altered by yet another vulnerability, allowing attackers to pose as legitimate users or simply add unauthorized individuals to the database. Two final groups of vulnerabilities enable attackers to execute commands and take control of the device, Kaspersky says. From there, attacks can be launched on other network nodes.

“The ability to alter the database weaponizes the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors,” comments Kaspersky Senior Application Security Specialist Georgy Kiguradze. “Lastly, some vulnerabilities enable the placement of a backdoor to covertly infiltrate other enterprise networks, facilitating the development of sophisticated attacks, including cyberespionage or sabotage. All these factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device’s security settings for those using the devices in corporate areas.”

Kaspersky recommends isolating the biometric devices in their own network segment, change default passwords and put more robust ones in place, auditing security settings like the warmth liveness detection capability, minimize the use of QR codes and update the firmware regularly.

Biometric Update reached out to ZKTeco for comment and will update this story when we hear back.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News


SITA wraps up acquisition of Materna IPS

SITA reports it has completed all necessary regulatory and legal procedures and finalized its acquisition of Materna IPS, a provider…


Payface lands new retail biometric payments deal in Brazil

Brazilian face biometrics payments startup Payface has clinched a deal with supermarket chain Ítalo. Ítalo Supermercados, based in the southern…


EU to fund digital programs with €108m, including digital identity

The European Union has issued a new call for funding within the Digital Europe Programme (DIGITAL), allocating over 108 million…


Lawmakers try again to kill diversion of TSA screening tech funds

Because of Washington partisan politics, the U.S. Transportation Security Administration (TSA) doesn’t expect to be able to field upgraded and…


Florida tosses mDL program into the Gulf

Florida’s mobile driver’s license has been shut down, making the state a rare case in the world of a place…


FBI biometric fingerprint lab gets a party on its 100th birthday

The Federal Bureau of Investigation (FBI) is celebrating the centennial of its fingerprint lab. A release from the agency says…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events