At present, timekeeping machines integrate magnetic lock can be taken advantage by hackers. According to recent research, these vulnerabilities were exploited for remote access to sensitive personal information such as name, department, fingerprint, pin code, and so on. The hackers then inactivate the machine, even implanting malicious codes for other schemes.

Timekeeping machines are widely used in organizations and enterprises today.

Timekeeping machines have advanced features that can be integrated with the magnetic door to perform automatic closing and opening. But if these devices are controlled and modified, will the security gateway be safe enough to protect your organization?

Previous analysis conducted by researchers at Infobyte Security Research Labs and independent research in the world have shown that timekits manufactured by ZKSoftware/ ZKTeco (based in Shenzhen, China) includes the ZMM100, ZEM500, ZEM510,… contains security vulnerabilities in different levels, listed below:

  • The default Telnet port (23 / TCP) is opened and if the hacker is fortunate enough to log into the system with the factory default accounts, listed below:
The default account of the manufacturer can be used by hackers to gain access to the machine.
  • Device Administration Page (80/TCP, 8080/TCP) contains information about device, versions, feature menus. Any Anonymous user can access this page to control, change the settings of the device without any authentication. From this, it is possible to conclude that the LOGIN function and the SESSION test are completely useless.
  • At the same time, on the administration page, Anonymous users can directly download two backup files of the device (* .dat) including Backup to System (device.dat) and Backup to User Data (user.dat). Hackers can even perform the “Restore Backup” feature.
  • Sensitive data such as IP addresses, versions, configurations, and device administrator passwords are easily accessed and downloaded from the administration site itself when accessing the options.cfg page without any authentication steps.
  • The Web Server also provides a SOAP API that allows hackers to download user lists in their timekeeping device and password (of course, without authentication).
  • When you have all the information about the Linux kernel, the administrator account, Shell access port. The hacker easily performs the right enhancement, configuration change, and software installation.
Timekeeping machine management interface.

Some identified vulnerabilities and the risks to the organization that hackers may exploit:

  • Access to leaked sensitive information of users and administrators;
  • With this information, the attackers will easily disable the security gates, to make unauthorized access to the organizations;
  • Perform localized malware installed as a springboard for spreading and hijacking your organization through your local network (Compression on the network, attacks on local servers, Man-in-the-middle attacks,…). Typically, these timekeeping machines are housed in the same network area and internal server, so that it is easy to update the information of the HR department;
  • Make changes to sound information and images in order to threaten the organization, causing discredit.

More dangerously, for some foolish reasons, these timekeeping devices are Public Internet. CyRadar made some statistics through the Shodan tool to look at the number of devices at risk of being the victim of an attacker. In Vietnam there are about 1003 equipment distributed mainly in Ho Chi Minh City, Hanoi, Hai Phong, Da Nang, Can Tho – where many enterprises and industrial parks are located. Worldwide, there are 11,209 units distributed in Indonesia, Vietnam, Egypt, Israel, Taiwan (Vietnam takes the second place).

Vietnam ranks the second in the list of devices at risk of being the victims of the attackers.

This easily led to two broad-based attack scenarios:

  • A large computer botnet can be formed to perform denials of service attacks – DDoS;
  • Virtual money code will be deployed, resulting in flooding. This is similar to malicious code attacks on security camera devices in recent years.

To overcome these vulnerabilities, organizations should plan the timekeeping devices into a private network area that is completely separate from the local host area, not allowing Incoming and Outgoing Internet connections to the device. This also makes changes to the default password. Take a closer look at the vendor’s home page to check and update the firmware version that is appropriate for your device.

Harry Ha – CyRadar

Related posts: