Hidden dangers of biometric authentication devices

Based on our analysis of ZKTeco vulnerabilities, we dissect the risks associated with biometric authentication.

24 vulnerabilities of ZKTeco biometric terminals, and how to implement biometrics safely

Organizations are adopting biometric authentication to optimize access control and to add a primary or auxiliary authentication factor for accessing corporate information systems. Biometrics are perfect for the job: such data can’t be forgotten like a password, or lost like a keypass, and is very hard to forge. Security no longer has to deal with lost or forgotten cards, and the IT security team doesn’t need to come up with OTP systems. However, there are a number of “buts” to consider when evaluating such implementations:

  • Risks associated with storing and processing biometric information (regulated by law in many countries);
  • Practical difficulties related to false positives and negatives (strongly dependent on the type of biometrics and means of verification);
  • Risks of authentication bypass;
  • Risks of cyberattacks through vulnerabilities in the biometric terminal.

The first two points are usually covered by security personnel, but the rest are often underestimated. Yet, as our in-depth study of popular ZKTeco biometric terminals shows, by no means are they far-fetched. These terminals were found to harbor 24 vulnerabilities that allow threat actors to effortlessly bypass authentication, hijack the device, read or modify the list of users, download their photos and other data, and exploit access to the device to develop an attack on the corporate network. Here’s how attackers can use these vulnerabilities.

ZKTeco terminal

ZKTeco terminal

QR code instead of a face

The biometric terminal model studied by our experts can store a database of users locally and authenticate them in one of several ways: password, QR code, face photo biometrics, or electronic pass. As it turned out, simply scanning a QR code containing the trivial SQL injection is enough to validate authentication on the device and open the doors. And if too much data is embedded in the QR code, the terminal reboots. To carry out these attacks, an attacker only needs to approach the device with a phone or even a paper card.

Insecure network access

The terminal can be managed either locally or over the network using SSH or a proprietary network protocol using the TCP port 4370. The protocol requires authentication, but the procedure’s implementation contains serious errors. The password is an integer from 0 to 999999, which is easy to brute-force, and its default value is, of course, zero. The message authentication code (MAC) uses reversible operations, making it easy to analyze network traffic and, if necessary, recover the password through it. SSH access is available to root and zkteco users whose passwords could be recovered through accessing the device memory.

Device hijacking

The manufacturer provides the ability to access user data remotely, download photos, upload new users, and so on. Given the insecure implementation of the proprietary protocol, this creates a risk of personal data leakage, including biometrics. Threat actors can also add third parties to the database and exclude legitimate employees.

On top of that, errors in processing protocol commands give attackers even more options, such as injecting Unix shell system commands into image processing commands and reading arbitrary system files on the terminal, right down to the password-containing /etc/shadow.

What’s more, buffer overflow vulnerabilities in the firmware update command allow arbitrary code execution on the device. This creates attractive opportunities for attackers to expand their presence in the network. Since the biometric terminal will have no EDR agent or other security tools, it’s well suited for reconnaissance operations and routing traffic between compromised devices — if, of course, the terminal itself is connected to the internal network without additional restrictions.

How to reduce the risks of attacks through biometric terminals

ZKTeco devices are used worldwide under different brand names. If the devices in the illustration look like those in your office, it’s worth updating the firmware and scrutinizing the settings to make them more secure. Either way, various flaws in biometric terminals need to be taken into account regardless of the specific manufacturer. We recommend the following measures:

  • Choose a biometric terminal supplier carefully. Conduct preliminary analysis of previously known vulnerabilities in its equipment and the time taken to eliminate them. Request information about the supplier’s software engineering practices, giving preference to manufacturers that use a secure development lifecycle (SDL). Also request a detailed description of how information is stored, including biometrics.
  • Master the equipment settings and use the most secure configuration. We recommend disabling unnecessary and insecure authentication methods as well as unused services and features. Change all default credentials to strong and unique passwords for all biometric terminal administrators and users.
  • Physically block unnecessary connectors and interfaces on the terminal to eliminate certain attack vectors.
  • Include terminals in update and vulnerability management processes.
  • Isolate the network. If terminals are connected to the local network and linked to a management server, we recommend moving them to a separate physical or virtual subnet (VLAN) to rule out access to terminals from regular computers and servers, and vice versa. To configure access, we advise using a privileged access workstation isolated from regular network activity.
  • Consider telemetry from terminals as a source of information for the SIEM system and other deployed monitoring tools.