A recent analysis of a hybrid biometric access system from Chinese manufacturer ZKTeco has uncovered significant security vulnerabilities that could potentially compromise authentication and biometric data security.
According to Kaspersky researchers, the system harbors 24 flaws, including SQL injections, buffer overflows, command injections, and arbitrary file read and write vulnerabilities.
One critical vulnerability identified, CVE-2023-3938, involves SQL injection when processing QR codes, enabling attackers to authenticate as any user by inserting specially crafted requests.
This flaw underscores the system's susceptibility to unauthorized access through manipulated data inputs. Similarly, CVE-2023-3939 and CVE-2023-3941 pose severe risks with their ability to execute arbitrary commands
Georgy Kiguradze, a security researcher at Kaspersky, highlighted the diverse impacts of these vulnerabilities. Stolen biometric data, he warns, could be traded on the dark web, exposing individuals to deepfake attacks.
Beyond compromising personal data, successful exploitation could grant attackers access to restricted areas and facilitate infiltration of critical networks for espionage or disruptive cyberattacks.
The vulnerabilities were discovered through reverse engineering of the system's firmware and proprietary communication protocols. Kaspersky notes that there is uncertainty regarding whether these issues have been addressed by the manufacturer.
To mitigate these risks, experts recommend segregating biometric reader networks, employing strong administrator passwords, tightening security configurations, minimizing QR code usage.
Kaspersky underscores the dual nature of biometric devices, offering enhanced security benefits while also introducing new vulnerabilities. Poorly secured terminals, despite their advanced technology, can negate the advantages of biometric authentication