Biometric Security Vulnerabilities Uncovered: Authentication Risks in the Spotlight

June 12, 2024

Biometric security systems are becoming increasingly popular in various sectors, from law enforcement to commercial industries. However, the discovery of two dozen vulnerabilities in a biometric terminal manufactured by ZKTeco has raised concerns about the potential risks of unauthorized access, malware deployment, and biometric data theft. These devices, which use face scans and QR codes for security, are used worldwide to protect corporate and critical premises.

The vulnerabilities discovered fall into several categories, including SQL injections and improper user input verifications. Particularly concerning are bugs like CVE-2023-3940 and CVE-2023-3942, which allow hackers to view and extract files, including users' biometric data and password hashes. Other vulnerabilities, such as CVE-2023-3939 and CVE-2023-3943, enable privileged command execution. A striking example is CVE-2023-3938, where an attacker can inject malicious data into a QR code to perform a SQL injection. This allows the attacker to gain access to restricted areas by tricking the terminal into recognizing them as a recently authorized user.

Despite these risks, experts argue that a biometric data leak is not as severe as other types of personal data leaks. Georgy Kiguradze, a senior application security specialist at Kaspersky, stated, "It was quite astonishing to find a substantial number of SQL-injection vulnerabilities in the binary protocol used for transmitting control commands to the device." He also found vulnerabilities in the QR code reader embedded within the device’s camera, an unexpected location for such flaws.

Another vulnerability, CVE-2023-3941, allows an intruder to access and remotely alter the machine's biometric database, enabling them to add their own face to the system. It remains unclear whether ZKTeco has addressed these vulnerabilities. The devices are used in sensitive environments worldwide, such as nuclear and chemical plants and hospitals, highlighting the critical need for robust security measures.

Kiguradze's recommendations for enhancing security include isolating a biometric reader on a separate network segment, implementing robust administrator passwords, and replacing any default credentials. He also advised conducting thorough audits of the device’s security settings and changing any default configurations.

While there have been recent security breaches, experts believe there are ways to protect databases with hardware security modules and advanced encryption technologies. They also suggest that organizations unsure about biometrics could consider scaling back their use or ensuring they are not the sole protection mechanism. The challenge lies in ensuring any additional safeguards do not detract from the user experience, a key selling point of biometrics.

Experts argue that biometrics are fundamentally safer than other forms of authentication, despite the data being stored and protected in the same way. iProov founder and CEO Andrew Bud clarified a common misconception, stating, "A password is good because it's secret. But a face is not a secret in the modern world... What makes a face or any other kind of biometric so very valuable is not that it's confidential, but that the genuine article is unique. You can steal my password, but you cannot steal my face." This suggests that while biometric data leaks may be concerning, they are not necessarily catastrophic.

Latest News

• Rockwell's ICS Advisory Amid Rising Critical Infrastructure Threats
• Google Addresses Android Zero-Day Exploit on Pixel Devices
• Black Basta Ransomware Group Suspected of Exploiting Windows Zero-Day Vulnerability
• Microsoft Rectifies 51 Security Flaws Including a Critical MSMQ Vulnerability
• JetBrains Issues Warning About IntelliJ IDE Bug That Exposes GitHub Access Tokens