A major breach has been discovered in a biometric and password security system that is used by banks, the police and defense contractors around the world.
Over 1 million fingerprints, unencrypted usernames, passwords, facial recognition information, and employee’s personal data were found on a publicly accessible catalogue.
The biometric lock system, known as Biostar 2, is run by the security company, Suprema. Last month, it was announced that Biostar 2 would be integrating with AEOS, a control system that is used by almost 6000 organisations across 83 countries. The clientele includes governments and public services.
Finding the flaw
The breach in Biostar 2 was discovered by Israeli researchers, Noam Rotem and Ran Loca who were working on behalf of the virtual private network service, vpnmento. Using Elasticsearch to alter the URL, they explored the database and found that the information in the security system was mostly unencrypted and unprotected.
In the unearthing, Rotem and Loca found that they had access to 23 gigabytes of data and 27.8 million records, including fingerprints, photos, dashboards, usernames, and admin panels.
Speaking to the Guardian, Rotem said: “We were able to find plain-text passwords of administrator accounts,”
Adding, “The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even.”
Rotem spoke of how he was able to manipulate the information for his own means.
“We [were] able to change data and add new users,” he said.
By changing the data, the researcher was able to add his own fingerprint or photo to an existing user account and access the files he wanted.
He went on to tell the Guardian that they had been able to obtain data from various companies around the world.
What does this mean for security?
The worry behind this type of flaw, Rotem and Loca added, is that passwords can be changed, but fingerprints and faces can’t.
In a write up about the topic, they argue, “Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes,”
Although the investigators say they have tried to contact Suprema numerous times, the security company has not yet responded.