Kaspersky Uncovers Major Flaws in ZKTeco Biometric Access Systems

Kaspersky has uncovered severe vulnerabilities in biometric access systems produced by Chinese manufacturer ZKTeco, posing significant risks to high-security facilities worldwide.

Cybersecurity firm Kaspersky has uncovered severe vulnerabilities in biometric access systems produced by Chinese manufacturer ZKTeco, posing significant risks to high-security facilities worldwide. These vulnerabilities could allow attackers to bypass security measures and compromise sensitive data, according to a recent report by Kaspersky.

The vulnerabilities were detected during a comprehensive security assessment of ZKTeco’s hybrid biometric terminals by Kaspersky’s experts. These devices, which are used globally in sectors ranging from nuclear plants to hospitals, rely on facial recognition and QR code authentication and have the capacity to store thousands of facial templates. However, Kaspersky’s findings reveal that the security measures in these devices are critically flawed.

Vulnerability Details

One of the key vulnerabilities involves the injection of malicious data into the QR codes used for authentication. An attacker could create a fake QR code to gain unauthorized access to the system. The terminal, upon processing a request with this malicious QR code, mistakenly grants access by recognizing it as the most recently authenticated legitimate user. This flaw allows intruders to potentially access restricted areas by exploiting the system’s QR code mechanism.

Additionally, the biometric readers can be manipulated through physical attacks. If a malicious actor gains access to the device’s database, they could download and print a legitimate user’s photo. This printed photo could then be used to deceive the device’s camera and gain access, especially if warmth detection is disabled. Although this method requires physical manipulation and has limitations, it poses a significant security risk.

Data Theft and System Manipulation

Kaspersky also found that attackers could exploit these vulnerabilities to gain access to any file within the system, allowing them to extract sensitive biometric data and password hashes. This capability extends beyond mere unauthorized access; it enables attackers to steal and potentially sell biometric data on the dark web, increasing the risk of deepfake applications and sophisticated social engineering attacks.

The ability to remotely alter the biometric reader’s database adds another layer of threat. Attackers could manipulate the database to include unauthorized users or modify existing credentials, further compromising security and potentially granting access to high-security areas.

Recommendations for Mitigation

In response to these findings, Kaspersky has shared proactive measures to mitigate the risks associated with these vulnerabilities. They recommend isolating biometric readers on separate network segments to minimize exposure and employing robust administrator passwords, changing the default ones provided by the manufacturer.

Kaspersky also suggests enabling temperature detection to prevent the misuse of printed photos and advises minimizing or disabling QR code functionality if feasible. Regular firmware updates are crucial to patch known vulnerabilities and enhance overall security.


These newly discovered vulnerabilities in ZKTeco’s biometric access systems highlight the pressing need for improved security measures in biometric authentication devices. The potential for unauthorized access and data theft poses a serious threat to high-security facilities worldwide. Kaspersky’s recommendations aim to enhance protection and mitigate risks, but the broader implications underscore the necessity for rigorous security assessments in biometric technology deployment.

Kaspersky’s findings have been shared with ZKTeco before the public disclosure to encourage timely remediation and safeguard affected systems. As the use of biometric systems continues to expand across critical sectors, ensuring robust security against evolving threats remains imperative.