Kaspersky has identified numerous flaws in the hybrid biometric terminal produced by international manufacturer ZKTeco. 

By adding random user data to the database or using a fake QR code, a nefarious actor can easily bypass the verification process and gain unauthorized access. 

Attackers can also steal and leak biometric data, remotely manipulate devices, and deploy backdoors. High-security facilities worldwide are at risk if they use this vulnerable device. 

The flaws were discovered in the course of Kaspersky Security Assessment experts’ research into the software and hardware of ZKTeco’s white-label devices.  

All findings were proactively shared with the manufacturer prior to public disclosure.

The biometric readers in question are widely used in areas across diverse sectors – from nuclear or chemical plants to offices and hospitals. 

These devices support face recognition and QR-code authentication, along with the capacity to store thousands of facial templates. 

However, the newly discovered vulnerabilities expose them to various attacks. Kaspersky grouped the flaws based on the required patches, and registered them under specific CVEs (Common Vulnerabilities and Exposures).