Security researcher finds facial recognition company left database exposed online without authentication

Dutch security researcher Victor Gevers with the GDI Foundation discovered this week that a Chinese facial recognition company left its database exposed online, revealing information about millions of people, CNET reports.

Shenzhen-based SenseNets was founded in 2015 and offers face recognition, crowd analysis and personal verification.

Gevers discovered yesterday that one of SenseNets’ MongoDB databases had been left exposed online without authentication. The database contained more than 2.5 million records on people, including names, ID card numbers, ID card issue date, ID card expiration date, sex, nationality, home addresses, dates of birth, photos, employer and GPS coordinates for locations where SenseNets’ facial recognition technology had spotted them.

Gevers also revealed that in the last 24 hours more than 6.8 million GPS coordinates were recorded, noting that anyone would be able to use these records to track a person’s movements based on SenseNets’ real-time facial recognition. The researcher found that there were 1,039 unique devices tracking people across China and that logged locations include police stations, hotels, tourism spots, parks, internet cafes and mosques.

The GDI Foundation warned SenseNets about the open database, which has been available since July.

According to IHS Markit research, cities around the world spent $3 billion on city surveillance in 2017, and the market will grow at an average annual rate of 14.6 percent to 2021. China is the biggest market for security equipment in city surveillance, taking up a two-thirds share.

Article Topics

biometrics  |  China  |  data protection  |  facial recognition  |  privacy  |  SenseNets Technology  |  surveillance