Researchers with Kaspersky Lab disclosed a number of vulnerabilities in a popular brand of biometrics scanners.
The security firm disclosed a total of six CVE vulnerability entries regarding code injection flaws in hardware from ZkTeco. By loading QR codes with command line code, attackers can force authentication hubs to execute instructions that would otherwise be off limits.
While the research focused on ZkTeco specifically, the Kaspersky crew said that the findings suggest a larger possibility for serious security flaws in biometrics and authentication hardware.
“Biometric scanners offer a unique way to resolve the conflict between security and usability,” the researchers wrote.
“They help to identify a person by their unique biological characteristics — a fairly reliable process that does not require the user to exert any extra effort. Yet, biometric scanners, as any other tech, have their weaknesses.”
In this case, the flaws in question related to code injection. In practice an attacker could create a fake QR code in order to access the device itself and then use the compromised hardware to get into the main database and wreck further havoc with medical records and personal details.
The hackers’ proof-of-concept loaded a QR code with additional commands that would grant the attacker with privileges otherwise locked off from ordinary users. Once the device scanned the poisoned code, they would have full access to the network, including possible access to a healthcare provider’s medical records database.
Kaspersky Labs' Georgy Kiguradze painted a nightmare picture which, under the right circumstances, an attacker could gain the ability to pull off a breach reminiscent of "Mission: Impossible."
“If someone with malicious intent gains access to the device’s database, they can exploit other vulnerabilities to download a legitimate user’s photo, print it, and use it to deceive the device’s camera to gain access to a secured area,” Kiguradze, a senior application security specialist, said.
Making matters worse, Kaspersky said that many of the biometric authentication devices containing the vulnerabilities are not marketed under a specific brand, but rather are marketed as white-brand devices that carry the label of another company.
A patch for the flaws has been issued and administrators are advised to update as soon as possible, though that might be easier said than done.
“The biometric readers in question are widely used in areas across diverse sectors – from nuclear and chemical plants to offices and hospitals,” said Kaspersky.
