A recent report by Kaspersky has identified critical vulnerabilities in ZKTeco’s biometric access systems [6], posing serious risks to organizations’ security.

Description

The report highlights vulnerabilities in ZKTeco’s biometric access systems [6], allowing attackers to bypass verification processes [3] [5] [6], steal biometric data [1] [3] [4] [5] [6] [7], manipulate devices remotely [1] [3] [5] [6], and deploy backdoors [3] [5] [6] [7]. Specific CVEs [5], such as CVE-2023-3938 [5], enable SQL injection attacks through malicious QR codes [5]. Other security flaws include physical bypass through fake QR codes, biometric data theft [1] [3] [4] [5] [6] [7], and remote device manipulation [2] [3]. These vulnerabilities could lead to deepfake attacks [7], social engineering [1] [2] [3], and cyberespionage [3] [7]. ZKTeco-based OEM devices like ZKTeco ProFace X and Smartec ST-FR043 are affected [6]. The impact and severity of these vulnerabilities are currently unknown, and it is unclear if ZKTeco has released patches to address them [2]. To mitigate the risk [1] [3] [5] [7], it is recommended to isolate biometric readers on a separate network [1] [7], use strong administrator passwords [1] [5] [7], update device security settings [1] [7], minimize QR code usage [7], and ensure systems are regularly updated.

Conclusion

Failing to secure biometric devices could compromise physical security and leave organizations vulnerable to cyber attacks. A recent analysis of a hybrid biometric access system from ZKTeco has revealed two dozen security flaws that could be exploited by attackers [1]. To mitigate the risk of attacks [1], it is recommended to move biometric reader usage into a separate network segment [1] [7], use strong administrator passwords [1] [5] [7], improve device security settings [1] [7], minimize the use of QR codes [1], and keep systems up-to-date [1] [7]. These security flaws pose a serious threat to organizations using ZKTeco biometric terminals [4].

References

[1] https://vulners.com/thn/THN:D82E5C572BF02C9C8BD1E01991BA3A37
[2] https://backendnews.net/kaspersky-reveals-critical-flaws-in-zkteco-biometric-terminals/
[3] https://www.businesstechafrica.co.za/security/2024/06/15/kaspersky-finds-24-vulnerabilities-in-chinese-biometric-access-systems/
[4] https://www.gamingdeputy.com/hacker-discovers-24-vulnerabilities-in-zkteco-biometric-terminal/
[5] https://vsdaily.com/kaspersky-uncovers-critical-security-flaws-in-zkteco-biometric-terminals/
[6] https://www.infosecurity-magazine.com/news/kaspersky-flaws-chinese-biometric/
[7] https://thehackernews.com/2024/06/zkteco-biometric-system-found.html