The Facial Recognition Terminal Nobody Audited
How a common access control device used in businesses and schools fails completely open.
Facial recognition terminals are showing up everywhere — office lobbies, school entrances, gym check-ins, apartment buildings, warehouses. They’re sold as modern access control: employees or students scan their face instead of swiping a badge. The pitch is efficiency and security. The reality is that most of the people responsible for buying and installing these devices have no idea what’s actually running inside them — and neither do the students, employees, or visitors handing over their biometric data. I pulled one of these terminals onto an isolated lab network to find out. The device was marketed under one brand name, but inside it was a generic Chinese OEM platform sold under dozens of different names at every price point. What I found was a device that had no meaningful security at any layer.
Service enumeration with nmap to map every open port, then manual assessment of each one: the web management interface, an open telnet service, a backend service referenced in JavaScript source, and an RTSP video endpoint. Client-side JavaScript source review revealed credentials and stream paths that the device had no business exposing. Each finding fed the next — standard methodology for building a complete compromise chain.
The web interface accepted factory default credentials with no lockout and no rate limiting — but that barely mattered, because a publicly documented authentication bypass (CVE-2021-33044) returned the full admin dashboard with zero credentials whatsoever. The login page shipped a hardcoded encryption key in plaintext JavaScript, visible to any browser without authentication. The algorithm was Triple DES — cryptographically broken and deprecated by NIST since the 1990s. The device also exposed a fully unauthenticated RTSP video stream: any device on the same network could open it silently, with no credentials, no log entry, and no indication to anyone that the feed was being accessed. This is a facial recognition terminal. It was actively scanning and recording faces. Anyone on the network could watch that in real time. Telnet was open on port 23, transmitting everything in cleartext. An undocumented service on port 5000 was listening with unknown purpose. The full compromise chain — from discovery to live biometric video feed — required zero credentials. These findings apply to any network this class of device is placed on: a school, a medical office, a corporate lobby, an apartment complex.
These terminals are routinely purchased by facilities managers and IT teams who have no way to assess what’s inside them. The hardware is almost always a generic OEM platform — the same chipset family behind the Mirai botnet — rebadged and resold under hundreds of brand names. A higher price tag does not mean better security. Any organization using facial recognition for access control should treat these devices as untrusted by default: isolated VLAN, no internet access, egress filtering, and active monitoring of every outbound connection. Better yet, ask the vendor for a third-party security assessment before the device ever touches a network with students or employees on it.