Millions of unencrypted biometric fingerprint and face records exposed to web; Suprema responds
Internet privacy researchers have found a huge database of publicly exposed, unencrypted biometric fingerprint and facial images from thousands of organizations in numerous countries. Researchers from vpnMentor discovered they could access databases for the BioStar 2 physical access control system from Suprema, and found more than 1 million fingerprint records as well as facial recognition data, according to a blog post.
In addition to biometrics, the security breach exposed personal information and unencrypted usernames and passwords, according to researchers Noam Rotem and Ran Locar. Their team was able to access 27.8 million records, and 23 gigabytes of data, none of which seems to have been securely hashed. The researchers also note that numerous simple and unsecure passwords were found among the exposed credentials. The unhashed biometric data, unlike the passwords, cannot be changed, however.
The breach was discovered on August 5, the vendor contacted on August 7, and the breach was closed on August 13.
The researchers were able to find credentials for administrator accounts, and also to change or add entries to databases, raising the possibility that a malicious actor could have leveraged the breach to break into biometrically protected buildings or rooms, as well as other systems.
Rotem told The Guardian that Suprema is far from the only company with vulnerable data online.
“It’s very common. There’s literally millions of open systems, and going through them is a very tedious process,” he said. “And some of the systems are quite sensitive.”
“Mistakes happen, and the real test is how you handle them,” Rotem adds.
BioStar 2 was recently integrated with the AEOS access control system by Nedap, which serves the UK Metropolitan Police, large multinational enterprises, governments and banks.
Suprema Head of Marketing Andy Ahn told The Guardian the company has undertaken an “in depth evaluation” of the breach report.
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn says.
In an emailed statement to Biometric Update, Ahn said that “Suprema Inc. is aware of the reports in the press regarding its BioStar 2 platform and the alleged unauthorized access to data involving vpnMentor. The Company takes any report of this nature very seriously. It is investigating the allegations in the press reports and will liaise with any appropriate third parties and/or individuals as necessary. At this stage, it cannot make any further comment but will, if appropriate, issue a further press statement in due course, including corrections of any erroneous assertions in the reports to date.”
Digital Barriers CEO Zak Doffman writes in an article for Forbes that providing biometric information to a large number of organizations creates risk, and what is needed is actually “some kind of unified platform” to limit the number of instances of stored biometric data, with other parties gaining access to it “as a service.”
Updated at 3:35 pm on August 15, 2019 with a statement from Suprema.