24 bugs in Chinese biometric device can compromise data

New Delhi : Researchers have identified 24 vulnerabilities in the hybrid biometric terminal produced by Chinese manufacturer ZKTeco.

According to the cybersecurity company Kaspersky, by adding random user data to the database or using a fake QR code, a threat actor can easily bypass the verification process and gain unauthorised access. Attackers can also steal and leak biometric data, remotely manipulate devices, and deploy backdoors.

High-security facilities worldwide are at risk if they use this vulnerable device, researchers warned. "In addition to replacing the QR code, there is another intriguing physical attack vector. If someone with malicious intent gains access to the device’s database, they can exploit other vulnerabilities to download a legitimate user’s photo, print it, and use it to deceive the device’s camera to gain access to a secured area," said Georgy Kiguradze, Senior Application Security Specialist at Kaspersky.

As per the researchers, the biometric readers in question are widely used in areas across diverse sectors such as nuclear or chemical plants to offices and hospitals. These devices support face recognition and QR-code authentication, along with the capacity to store thousands of facial templates.

All findings were proactively shared with the manufacturer before public disclosure, the researchers mentioned. "All the factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device's security settings for those using the devices in corporate areas,” said Kiguradze.