Internet privacy researchers have found a huge database of unencrypted biometric fingerprints and publicly exposed from thousands of organizations in numerous countries. The vpnMentor researchers discovered that they could access the databases for the BioStar 2 physical access control system from Supreme, and found more than 1 million fingerprint records, as well as facial recognition data, according to a blog post.
In addition to biometrics, the security breach exposed personal information and unencrypted usernames and passwords, according to researchers Noam Rotem and Ran Locar. His team was able to access 27.8 million records and 23 gigabytes of data, none of which seems to have been safely controlled. The researchers also point out that numerous simple and unsecured passwords were found among the credentials exposed. However, uncontaminated biometric data, unlike passwords, cannot be changed.
The violation was discovered on August 5, the seller contacted on August 7 and the violation closed on August 13.
Investigators were able to find credentials for administrator accounts, and also to change or add entries to the databases, which increases the possibility that a malicious actor has taken advantage of the gap to enter buildings or rooms with biometric protection, as well as in other systems.
Rotem said The Guardian Suprema is far from being the only company with vulnerable data online.
"It's very common. There are literally millions of open systems, and going through them is a very tedious process," he said. "And some of the systems are quite sensitive."
"Mistakes happen, and the real test is how you handle them," adds Rotem.
BioStar 2 was recently integrated with the Nedap AEOS access control system, which serves the United Kingdom Metropolitan Police, large multinational companies, governments and banks.
Suprema's chief marketing officer, Andy Ahn, told The Guardian that the company has conducted an "in-depth assessment" of the breach report.
"If there has been a definitive threat to our products and / or services, we will take immediate action and make appropriate announcements to protect our customers' valuable businesses and assets," says Ahn.
In a statement sent by email to Biometric Update, Ahn said that "Suprema Inc. knows the reports in the press about its BioStar 2 platform and the alleged unauthorized access to data involving vpnMentor. The Company takes any seriously report of this nature.You are investigating the allegations in the press reports and will keep in touch with appropriate third parties and / or individuals as necessary.At this stage, you cannot comment further, but, if applicable, will issue a press statement in due course, including corrections of any erroneous statements in the reports to date. "
Digital Barriers CEO Zak Doffman writes in an article to Forbes that providing biometric information to a large number of organizations creates risks, and what is needed is actually "some kind of unified platform" to limit the number of instances of stored biometric data, with access from other parties "as a service" .
Updated at 3:35 pm on August 15, 2019 with a statement from Suprema.