A popular ZKTeco biometric terminal has critical vulnerabilities, including an SQL injection flaw via QR codes. This discovery raises serious concerns about the security of widely used biometric access control systems.
All About Biometric Terminal
Biometric terminals use unique human traits like fingerprints, facial features, voice, or iris patterns for identification and access control, according to a SecureList report.
These terminals are used in sensitive areas like server rooms, executive offices, and hazardous facilities such as nuclear power plants and chemical plants. They track employees’ work hours to boost productivity and reduce fraud.
Benefits and Downsides
Advantages of Biometric Terminals:
- Highly Accurate Identification: Unique biometric data makes for reliable verification.
- Security: Difficult to forge or copy, enhancing system security.
- User-Friendly: No need for passwords or access cards.
- Efficiency: Quickly processes large amounts of data, reducing wait times.
Downsides of Biometric Terminals:
- Cost: More expensive than traditional systems.
- Risk of Error: Misidentification can occur with damaged fingertips or anomalies.
- Privacy Concerns: Concerns about data being stored and used without consent.
- Technological Limitations: Methods like facial recognition can be less effective in low light or with masks.
The ZKTeco hybrid biometric terminal supports facial recognition, passwords, electronic passes, and QR codes for authentication.
The device includes RJ45, RS232, and RS485 interfaces, allowing connection to other scanners and authentication methods.
All about vulnerability
The security analysis revealed several vulnerabilities:
QR Code SQL Injection: The device is vulnerable to SQL injection attacks through QR codes, allowing attackers to gain unauthorized access with a malicious QR code.
Buffer Overflow: The device exhibited several buffer overflow vulnerabilities caused by inadequate handling of user input.
Unencrypted Firmware: The firmware lacks encryption, simplifying extraction and analysis for potential attackers.
Weak Authentication: The device’s authentication mechanism was insufficient, as the default password was set to 0, allowing for easy brute-force attacks.
Exploitation and Impact:
The vulnerabilities enable attackers to:
- Bypass Authentication: Gain unauthorized physical access to secure areas.
- Leak Biometric Data: Extract sensitive biometric data from the device.
- Network Access: Gain access to the device’s network and use it for further attacks.
The discovery of these vulnerabilities in a widely-used biometric terminal emphasizes the need for robust security measures during design and deployment.
While biometric terminals offer enhanced security and efficiency, they also introduce new risks that require careful management.
Organizations should ensure proper configuration and regular updates of these devices to mitigate potential security threats.
Leave A Comment