One critical flaw, CVE-2023-3938, allows cybercriminals to inject malicious code into the system’s database via a QR code, leading to unauthorised access to restricted areas
Security researchers have identified serious vulnerabilities in a biometric access system produced by Chinese manufacturer ZKTeco, casting doubt on its promised security benefits. Kaspersky researchers uncovered 24 security flaws in the system, which employs facial scans, passwords, QR codes, and electronic cards for authentication.
One critical flaw, CVE-2023-3938, allows cybercriminals to inject malicious code into the system’s database via a QR code, leading to unauthorised access to restricted areas. The system mistakenly accepts the malicious QR code as legitimate, causing the device to restart due to the data overload.
“In addition to replacing the QR code, there is another intriguing physical attack vector,” said Georgy Kiguradze, senior application security specialist at Kaspersky. “If someone with malicious intent gains access to the device’s database, they can exploit other vulnerabilities to download a legitimate user’s photo, print it, and use it to deceive the device’s camera to gain access to a secured area.”
Kiguradze noted that this method has limitations. It requires a printed photo, and the device’s warmth detection must be turned off. However, it still poses a significant threat.
Many vulnerabilities originate from errors in the database wrapper library. Researchers grouped these issues as “multiple vulnerabilities” based on their type and cause, resulting in fewer CVE designations.
The identified CVEs include:
– 6 SQL injection vulnerabilities
– 7 buffer stack overflow vulnerabilities
– 5 command injection vulnerabilities
– 4 arbitrary file write vulnerabilities
– 2 arbitrary file read vulnerabilities
Another serious flaw, CVE-2023-3941, allows attackers to remotely alter the biometric reader’s database. Poor user input verification across system components enables attackers to upload unauthorized data, such as photos, adding individuals to the database. This flaw also allows the replacement of executable files, creating a potential backdoor.
CVE-2023-3940 involves software component flaws that permit arbitrary file reading, giving attackers access to sensitive biometric data and password hashes. CVE-2023-3942 enables attackers to retrieve sensitive information from the device’s databases via SQL injection.
These findings raise concerns about the security of biometric systems and highlight the need for improved safeguards to protect against such vulnerabilities.