The Biostar 2 system is used by governments, banks, and the UK police.
What you need to know
- Two Israeli security researchers discovered an unencrypted Biostar 2 database with 23GB worth of data
- Included in the data were fingerprints, facial scans, usernames, passwords, and other personal information of over 1 million people.
- The vulnerability has now been closed and the company is doing an in-depth evaluation of the information.
Last week, Israeli security researchers Noam Rotem and Ran Locar discovered a mostly unencrypted publicly accessible Biostar 2 database online. The database included fingerprints, facial scans, usernames and passwords, and personal information of over 1 million people.
Biostar 2 is a biometrics lock system developed by the security company Suprema that integrates with the AEOS access control system. The AEOS just happens to be used in 83 countries worldwide and 5,700 organizations, including governments, banks, and the UK Metropolitan
Rotem and Locar happened upon this database during a side project with vpnmentor where they scan "ports looking for familiar IP blocks, and then use these blocks to find holes in companies' systems that could potentially lead to data breaches."
After the pair found Biostar 2's database, they were able to search the database and manipulate URLs to gain access to the data.
The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
Speaking to the Guardian, Rotem said most of the usernames and passwords were unencrypted and they were able to also change data and add new users into the system.
In the paper about the discovery provided to the Guardian before being published by vpnmentor on Wednesday, the researchers said they were able to access data from co-working organizations in the US and Indonesia, a gym chain in India and Pakistan, a medicine supplier in the United Kingdom, and a car parking space developer in Finland, among others.
What makes this even more dangerous, is the researchers pointed out that the database includes people's fingerprints. That means the fingerprint can be copied and used by others, instead of storing a hash of the fingerprint which cannot be reverse-engineered.
Rotem and Locar made multiple attempts to contact Suprema before sending their paper to the Guardian late last week, and as of Wednesday morning, the vulnerability has been fixed. The head of marketing at Suprema, Andy Ahn, told the Guardian that the company is doing an "in-depth evaluation" of the information and:
If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers' valuable businesses and assets.
We've all seen the news stories about security breaches, and more than likely you've been the victim of one of these in the past. It usually requires you to change your password, but when it comes to your biometric data, you can't just change your fingerprint or face.