12:37 GMT20 January 2021
Listen Live
    Get short URL

    A host of sensitive personal data, including the fingerprints of over one million people, facial recognition information, and unencrypted usernames and passwords, was discovered on the publicly accessible database of Suprema, a biometric technology company used by police forces, defence contractors and banks.

    The firm’s flagship Biostar 2 biometrics lock system allows centralised control for access to secure facilities such as warehouses, office buildings and the like, using fingerprints and facial recognition to identify individuals seeking access - in July, the platform was integrated into access control system AEOS, which is used by almost 6,000 organisations in 83 countries, and applies to around 1.5 million locations the world over.

    Last week however, Israeli security research firm vpnmentor, which reviews virtual private network services for speed, security, support, and features, found Biostar 2’s database was unprotected and mostly unencrypted, granting them access to almost 28 million personal records and 23 gigabytes of data including admin panels, dashboards, fingerprint data, facial recognition data, users’ headshots, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.

    It has now published a damning report on the gaping hole in the system’s defences, warning criminals “of all kinds” could use the information for “varied illegal and dangerous activities”.

    “Facial recognition and fingerprint information cannot be changed. Once they are stolen, it can’t be undone. The unsecured manner in which Biostar 2 stores this information is worrying, considering its importance, and the fact that Biostar 2 is built by a security company. Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes,” the report states.

    It goes on to note the firm’s researchers were even able to change data and add new users, meaning they could edit an existing user’s account, add their own fingerprints, then have access to whatever building the individual is authorised to enter – hackers could thus potentially create entire libraries of bogus fingerprints to enter secure locations without being detected. They would also have access to activity logs, so could delete or alter data to conceal their activities. 

    The authors also suggest fingerprint data theft is “particularly concerning” given fingerprints are replacing typed passwords on many consumer items, such as smartphones - as most fingerprint scanners on consumer goods are unencrypted, if a hacker can replicate fingerprints, they can gain access to all private information stored on a device, such as messages, photos, and payment methods.

    “This leak could have been easily avoided had the makers of Biostar 2 taken basic security precautions. While the information we found could still have made it into the hands of criminal hackers, we suggest Biostar 2 and Suprema secure servers with better protection measures, don’t save the actual fingerprints of users, implement proper access rules on databases and never leave a system that doesn’t require authentication open to the internet, the report concludes.

    It’s just the latest major operational security failing to be uncovered by vpnmentor – recently, the firm’s ‘hacktivists’ discovered an unprotected Microsoft database which included information on the number of people living in a household and their full names, marital status, income bracket, age and more, which impacted up to 65 percent of US households. 


    Plenty of Phish? Popular Dating App Discloses V-Day Data Breach (PHOTO)
    Nearly a Billion People's Private Data Leaked in 'BIGGEST BREACH Ever'
    Chinese Hacking Group Indicted in US Data Breach Affecting 78 Million - DoJ
    Equifax to Pay $700 Mln for 2017 Social Security Data Breach - Report
    data base, personal data breach, data breach, data
    Community standardsDiscussion