Kaspersky Lab has found vulnerabilities in a popular biometric terminal from the Chinese manufacturer ZKTeco, which could allow criminals to physically enter restricted areas or steal biometric data, the company's specialists reported. ZKTeco has a network of large customers - from fast food chains to car manufacturers and logistics providers.
A total of 24 vulnerabilities were discovered. One of them, for example, allows you to gain access to confidential biometric data and encrypted passwords of users. In the future, this could lead to the compromise of corporate credentials. At the same time, Kaspersky Lab notes that interpreting stolen biometric data remains a challenge for criminals.
Other vulnerabilities make it possible to change the biometric reader database. Kaspersky Lab gives an example of uploading your own photos there - this will allow unauthorized addition to the list of authorized users and passing through turnstiles or gates. “This group of vulnerabilities also allows you to replace executable files, which potentially makes it possible to create backdoors (doors for unauthorized access)“, experts warn.
There are other vulnerabilities that are similar to these - they allow you to gain physical access to restricted areas by embedding data in a QR code. Attackers can insert their information into it and the database mistakenly identifies the malicious QR code as coming from the last authorized legitimate user. Kaspersky Lab notes that these are not all vulnerabilities.
The company specified that it provided ZKTeco with all information about the discovered vulnerabilities. The manufacturer has not yet commented on this.