According to cybersecurity company Kaspersky, by adding random user data to the database or using a fake QR code, a threat actor can easily bypass the verification process and gain unauthorized access. Attackers can steal and leak biometric data, remotely manipulate devices, and deploy backdoors.
Researchers have warned that high security facilities around the world are at risk if they use this vulnerable tool. "In addition to altering the QR code, there is another interesting physical attack vector. If someone with malicious intentions gains access to the device's database, they can download the legitimate user's photo, print it, and trick other users." "Vulnerabilities can be exploited in the device's camera to gain access to a protected area," said Georgy Kiguradze, senior application security specialist at Kaspersky.
According to the researchers, biometric readers are widely used in various sectors ranging from nuclear or chemical plants to offices and hospitals. These devices support facial recognition and QR-code authentication, as well as have the ability to store thousands of facial templates.
The researchers noted that all findings were proactively shared with the manufacturer prior to public disclosure. “All factors underline the need to address these vulnerabilities and thoroughly audit device security settings for those using devices in corporate areas,” Kiguradze said.
Researchers have warned that high security facilities around the world are at risk if they use this vulnerable tool. "In addition to altering the QR code, there is another interesting physical attack vector. If someone with malicious intentions gains access to the device's database, they can download the legitimate user's photo, print it, and trick other users." "Vulnerabilities can be exploited in the device's camera to gain access to a protected area," said Georgy Kiguradze, senior application security specialist at Kaspersky.
According to the researchers, biometric readers are widely used in various sectors ranging from nuclear or chemical plants to offices and hospitals. These devices support facial recognition and QR-code authentication, as well as have the ability to store thousands of facial templates.
The researchers noted that all findings were proactively shared with the manufacturer prior to public disclosure. “All factors underline the need to address these vulnerabilities and thoroughly audit device security settings for those using devices in corporate areas,” Kiguradze said.
