Connect with us

Hi, what are you looking for?

HEADLINES

Kaspersky finds 24 vulnerabilities in Chinese biometric access systems

By adding random user data to the database or using a fake QR code, a nefarious actor can easily bypass the verification process and gain unauthorized access. Attackers can also steal and leak biometric data, remotely manipulate devices, and deploy backdoors. High-security facilities worldwide are at risk if they use this vulnerable device.

Kaspersky has identified numerous flaws in the hybrid biometric terminal produced by international manufacturer ZKTeco. By adding random user data to the database or using a fake QR code, a nefarious actor can easily bypass the verification process and gain unauthorized access. Attackers can also steal and leak biometric data, remotely manipulate devices, and deploy backdoors. High-security facilities worldwide are at risk if they use this vulnerable device.

The flaws were discovered in the course of Kaspersky Security Assessment experts’ research into the software and hardware of ZKTeco’s white-label devices.  All findings were proactively shared with the manufacturer prior to public disclosure.

The biometric readers in question are widely used in areas across diverse sectors – from nuclear or chemical plants to offices and hospitals. These devices support face recognition and QR-code authentication, along with the capacity to store thousands of facial templates. However, the newly discovered vulnerabilities expose them to various attacks. Kaspersky grouped the flaws based on the required patches, and registered them under specific CVEs (Common Vulnerabilities and Exposures).

Physical bypass via a fake QR code

Advertisement. Scroll to continue reading.

The CVE-2023-3938 vulnerability allows cybercriminals to perform a cyberattack known as SQL injection, which involves inserting malicious code into strings sent to a terminal’s database.  Attackers can inject specific data into the QR code used for accessing restricted areas. Consequently, they can gain unauthorized access to the terminal and physically access the restricted areas.

When the terminal processes a request containing this type of malicious QR code, the database mistakenly identifies it as originating from the most recently authorized legitimate user. If the fake QR code contains an excessive amount of malicious data, rather than granting access, the device restarts.

In addition to replacing the QR code, there is another intriguing physical attack vector. If someone with malicious intent gains access to the device’s database, they can exploit other vulnerabilities to download a legitimate user’s photo, print it, and use it to deceive the device’s camera to gain access to a secured area. This method, of course, has certain limitations. It requires a printed photo, and warmth detection must be turned off. However, it still poses a significant potential threat,” says Georgy Kiguradze, Senior Application Security Specialist at Kaspersky.

Biometric data theft, backdoor deployment, and other risks

CVE-2023-3940 are flaws in a software component that permit arbitrary file reading.  Exploiting these vulnerabilities grants a potential attacker access to any file on the system and enables them to extract it. This includes sensitive biometric user data and password hashes to further compromise the corporate credentials. Similarly, CVE-2023-3942 provides another way to retrieve sensitive user and system information from the biometry devices’ databases – through SQL injection attacks.

Advertisement. Scroll to continue reading.

Threat actors can not only access and steal but also remotely alter the database of a biometric reader by exploiting CVE-2023-3941. This group of vulnerabilities originates from improper verification of user input across multiple system components. Exploiting it allows attackers to upload their own data, such as photos, thereby adding unauthorized individuals to the database. This could enable them to stealthily bypass turnstiles or doors. Another critical feature of this vulnerability enables perpetrators to replace executable files, potentially creating a backdoor.

Successful exploitation of two other groups of new flaws – CVE-2023-3939 and CVE-2023-3943 – enables the execution of arbitrary commands or code on the device, granting the attacker full control with the highest level of privileges. This allows the threat actor to manipulate the device’s operation, leveraging it to launch attacks on other network nodes and expand the offense across a broader corporate infrastructure.

“The impact of the discovered vulnerabilities is alarmingly diverse. To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks. Furthermore, the ability to alter the database weaponizes the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors. Lastly, some vulnerabilities enable the placement of a backdoor to covertly infiltrate other enterprise networks, facilitating the development of sophisticated attacks, including cyberespionage or sabotage. All these factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device’s security settings for those using the devices in corporate areas,” elaborates Georgy Kiguradze.

At the time of publishing the vulnerability information, Kaspersky lacks accessible data on whether the patches have been issued.

To thwart related cyberattacks, besides installing the patch, Kaspersky advises taking the following steps:

Advertisement. Scroll to continue reading.

·        Isolate biometric reader usage into a separate network segment.

·        Employ robust administrator passwords, changing default ones.

·        Audit and bolster device’s security settings, fortifying weak defaults. Consider enabling or adding temperature detection to avoid authorization using a random photo.

·        Minimize the use of QR-code functionality, if feasible.

Advertisement. Scroll to continue reading.
Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

Smart also sounds the alarm on criminals using ‘fake cell towers’ to bypass network defenses. The Philippine National Police had earlier called on the...

HEADLINES

According to a report, downtime and lost productivity are the most concerning business problems caused by ineffective IT security, an opinion expressed by 38%...

HEADLINES

Companies plan to increase their IT security budgets by up to 9%. The median cybersecurity budgets for large enterprises were US $5.7M with US...

HEADLINES

Globe has been a consistent advocate for a safer and more responsible digital space

HEADLINES

The attackers used a series of campaigns with novel exploits and customized malware to embed tools to conduct surveillance, sabotage and cyberespionage as well...

HEADLINES

Financial phishing attacks are rapidly increasing in the country as cybercriminals continuously evolve and adapt their tactics, making them sophisticated. The number of attacks...

HEADLINES

A Scale of Harm study by the International Justice Mission revealed that almost half a million Filipino children were trafficked to produce new child...

HEADLINES

Yondu launched an extensive, month-long cybersecurity awareness campaign focused on modern threat detection, incident response, and social engineering defense.

Advertisement