A security team has revealed that it was able to access more than one million fingerprints records without protection and without encryption, as well as facial recognition information stored in a database for a biometric access control system used by the Met Police.
In combination with personal data, usernames and passwords, the potential for criminal activity and fraud is massive, the vpnMentor team said in a research work, adding that once stolen, fingerprint information and facial recognition cannot be recovered, which could affect the people involved for the rest of their lives.
The research paper details the findings on BioStar 2, a web-based biometric security smart locking platform that uses facial recognition and fingerprint technology to identify users.
The BioStar 2 application is developed by the biometric access control company Suprema, recently integrated BioStar 2 into its AEOS access control system used by more than 5,700 organizations in 83 countries, including large multinationals, small businesses, governments, banks and the United Kingdom Metropolitan Police.
The vpnMentor researchers discovered that Biostar 2 Elasticsearch the database was unprotected and mostly unencrypted. They were able to search the database by manipulating the search criteria using the Elasticsearch search engine.
The data exposure was discovered on August 5, 2019 and Biostar was contacted two days later, but access to the system was blocked only one week later on August 13 after numerous attempts to contact the company, the researchers said.
According to the research work, the vpnMentor team was able to access more than 27.8 million records, a total of 23 gigabytes of data, which included access to customer administration panels, dashboards, back-end controls and permits; fingerprint data; facial recognition information and user images; unencrypted usernames, passwords and user IDs; details about employees; and mobile device information.
“One of the most surprising aspects of this leak was how insecure the passwords of the accounts we were accessing were. Many accounts had ridiculously simple passwords, such as "Password" and "abcd1234". It's hard to imagine that people still don't realize how easy this makes a hacker access their account, "said the research paper.
The researchers said that the unsafe way in which BioStar 2 stored this information was "worrying", considering its importance, and the fact that BioStar 2 is built by a security company.
"Instead of saving a hash of the fingerprint (which cannot be reverse engineered), they are saving the actual fingerprints of people who can be copied for malicious purposes."
"By gathering all the data found in the leak, criminals of all kinds could use this information for various illegal and dangerous activities," the researchers warned.
The research report says that the creators of BioStar 2 did not take "basic security precautions," such as better protection measures, save hash versions of fingerprints, implement appropriate access control rules in databases and demand strong authentication. .
A spokesman for the Metropolitan Police told the BBC that it was verify if the force was one of the organizations affected, while the Office of the Information Commissioner (ICO) said he was aware of reports on Biostar 2 and would consult.
"The large amount of confidential personal information that has potentially been exposed to cybercriminals as a result of Suprema's cybersecurity bad practices is disturbing," said Piers Wilson, head of product management at Huntsman Security.
“Such basic errors, which include not encrypting data and making administrator passwords easily accessible, are easy to avoid and measures should have been taken to better protect systems. In addition, biometric data must be secured at the highest level, once this is violated, there is no way to change it. If a fingerprint is stolen, that person's personal biometric data will be compromised for life.
“This discovery is just another example of why cybersecurity must be taken more seriously in all companies. To better deal with this problem, cybersecurity must become a problem at the boardroom level, where every part of the business has a real understanding of the risk, ”he said.
Weakness of the supply chain
John Sheehy, director of strategic security services at IOActive, said the discovery underscores the importance of supply chain security.
"The fact is: the safer an organization itself is, the more attractive the organization's supply chain becomes in the mind of the attacker, and it cannot be more certain than a government, a bank or a police force," He said.
An attacker generally looks for the easiest way to enter the network, Sheehy said, so it is often the provider who has an exploitable vulnerability that can gain full access to the network of the original target.
“Most of the threat actors facing organizations today are very smart. They know that they don't really need to take advantage of a sophisticated and complex supply chain trick to wreak havoc on a network, steal data or intellectual property, or cause catastrophic damage.
“All they really need to do is look for weaknesses, such as plain text passwords, servers without patches, unencrypted data and systems or send a simple phishing email.
"That is why, if you are not protecting your own network against the actors of basic threats, doing your due diligence to patch properly, and holding your suppliers accountable for securing their own networks and encrypting data, you have no hope of protecting yourself against nation-states or more capable threat actors, "he said.
Rohit Ghai, president of RSA Security, said database leaks ultimately originate from a human error by the company that manages the database.
"Because they are generally not malicious, they can be difficult to prevent without a very complete digital risk management program that provides the same level of monitoring of internal threats as external threats.
"In addition to this, the scenario highlights the importance of third-party risk and security assessments as data flows through the digital ecosystem of organizations," he said.
Security monitoring of biometric data.
Guy Bunker, CTO of the security firm ClearswiftHe said that when biometrics first appeared as a method for authentication, little was thought about how systems could be compromised.
"However, unlike a password, it is not so easy to change fingers, eyes and face. With the increased use of biometrics, data protection to disable replacement capability was also overlooked too much. Frequency The replacement is where you have access to the background storage and can easily place "your" details instead of the objectives and then become them, to access whatever is requested.
“In this particular incident, almost all possible problems with biometrics that could occur have actually done so. In doing so, data from thousands of organizations around the world have been compromised, as well as more than one million people. The "solution" will not be quick or easy, so during that time the potential for more fraud and malicious behavior is very high, "he said.
For companies not immediately affected by this discovery, Bunker said there is an immediate need to verify if they are using any type of biometrics.
"What you need to know is if the biometric data is stored in an" unprocessed "way or if it has been transformed. By way of analogy, passwords used to be stored in a clear (readable) way, today they are encrypted (transformed) and it is It is virtually impossible to reverse engineer a secure password.
"Biometric data needs the same thing to happen: raw data must be transformed through encryption, so that it cannot be invested in engineering. In addition, the systems containing this data must be protected, including monitoring, against massive changes in Biometric records data or updates The signs of this happening can be an indicator of commitment.
"Unfortunately, an event like this is needed for organizations to understand some of the risks they have with solutions they didn't know or had previously ignored," he said.
Tamara Quinn, partner in international legal practice Osborne Clarke these companies must also consider the risks that arise from the implementation facial recognition systems, since they must take appropriate measures to comply with the law.
"Facial recognition and video surveillance are covered by a complex network of regulations that is not easy to navigate, there is also a reputational risk if you do not see that companies are taking privacy seriously," he said, noting that according to the data General The Protection Regulation (GDPR), the use of biometric data, such as facial recognition systems, is covered by a stricter protection than common personal data.
“For many companies, this means that they may need to obtain the consent of each scanned person and show that these people were fully informed and have given their consent freely, without pressure or penalty for not participating.
"With the ICO promising to pay more attention to private organizations that use facial recognition systems that cover public areas, companies must now act to ensure that their software does not violate the law. And this may include reassessing the use of external cameras with Street view, public parking or other common spaces.
"In addition to ensuring that their systems comply with strict legal requirements, companies should examine their contracts with external suppliers of these systems to ensure they have strong legal protection," he said.