Critical Vulnerabilities Discovered in ZKTeco Biometric Terminal: Kaspersky Alert
Kaspersky Uncovers Critical Flaws in ZKTeco Biometric Terminal, Posing Global Security Threat
In a recent discovery, cybersecurity experts at Kaspersky have identified multiple vulnerabilities in the hybrid biometric terminal manufactured by ZKTeco, a renowned international company. These flaws allow malicious actors to bypass the verification process, steal biometric data, remotely manipulate devices, and deploy backdoors, posing a significant threat to high-security facilities worldwide.
The vulnerabilities were uncovered during Kaspersky’s Security Assessment experts’ research into the software and hardware of ZKTeco’s white-label devices. The affected biometric readers are extensively used in various sectors, including nuclear plants, chemical facilities, offices, and hospitals, making them a prime target for cybercriminals.
One of the critical vulnerabilities, CVE-2023-3938, enables attackers to execute a SQL injection attack by inserting malicious code into the terminal’s database. This allows them to manipulate the QR code used for access, granting unauthorized entry to restricted areas. Additionally, flaws like CVE-2023-3940 and CVE-2023-3942 expose sensitive user data and system information to potential breaches.
Georgy Kiguradze, Senior Application Security Specialist at Kaspersky, warns of the diverse impact of these vulnerabilities, including the sale of stolen biometric data on the dark web and the potential for sophisticated social engineering attacks. He emphasizes the urgency of patching these vulnerabilities and auditing security settings to prevent further exploitation.
To mitigate the risk of cyberattacks, Kaspersky recommends isolating biometric readers in a separate network segment, strengthening administrator passwords, updating firmware regularly, and minimizing the use of QR code functionality. These proactive measures are crucial in safeguarding against potential threats and ensuring the security of sensitive data in corporate environments.
As the cybersecurity community awaits confirmation of patches from ZKTeco, organizations are urged to implement these security measures to protect their infrastructure from potential breaches and unauthorized access.