JAKARTA - Kaspersky Security Assessment experts have identified many vulnerabilities in hybrid biometric terminals produced by international manufacturer ZKTeco.

The global cybersecurity company also claimed to have provided reports regarding this vulnerability to ZKTeco in advance and was finally distributed to the public.

This device supports facial recognition and QR code authentication, as well as the capacity to store thousands of face templates. However, Kaspersky found several loopholes that made them vulnerable to various attacks.

Physical bypass via fake QR code

The CVE-2023-3938 vulnerability allows cybercriminals to carry out attacks known as SQL injections. Attackers can enter certain data into QR codes used to access restricted areas.

As a result, they can obtain unauthorized access to the terminal and physically access the restricted area. If a fake QR code contains excessive amounts of malicious data, instead of granting access, the device will restart.

If someone with malicious intent gains access to a device database, they can exploit other vulnerabilities to download legitimate user photos, print them, and use them to scam device cameras into getting access to secure areas, said Georgy Kiguradze, Senior Application Safety Specialist at Kaspersky.

Theft of biometric data, the application of backdoors, and other risks

CVE-2023-3940 is a weakness in the software component that allows arbitrary file reading. Criminals take advantage of this vulnerability to access any files in the system and allow them to extract them.

This includes sensitive biometric user data and password hash to further harm the company's credentials. Threat actors can not only access and steal but also change the biometric reader database remotely by utilizing CVE-2023-3941.

The impact of the vulnerabilities found is very diverse. Attackers can sell stolen biometric data on the dark web, thus making individuals affected experience an increased risk of deepfake attacks and sophisticated social engineering, "explained Georgy.

In addition, some vulnerabilities allow backdoor placement to secretly infiltrate other corporate networks, thereby facilitating the development of sophisticated attacks, including cyber espionage or sabotage.


The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)