A Major Breach In Biometrics Security Database

Uploaded on 2019-09-02 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Over a million fingerprints and other sensitive data have been shown to be exposed online by a biometric security firm vpnMentor who disclosed that they had found the highly sensitive data on a security tool. 

Researchers working with vpnMentor say they accessed data from a security tool called BioStar 2 was first discovered on 5th August and the breach has now been closed. 

The leaked data includes detailed personal information of employees and unencrypted usernames and passwords, giving hackers access to user accounts and permissions at facilities using BioStar 2. BioStar 2 is used by thousands of companies worldwide, including the UK's Metropolitan Police, to control access to specific parts of secure facilities. Malicious agents could use this to hack into secure facilities and manipulate their security protocols for criminal activities. 

This is a huge leak that endangers both the businesses and organisations involved, as well as their employees. 

Fingerprints, facial recognition and other personal information from Biostar 2 discovered on publicly accessible database. As well as fingerprint records, the researchers say they found photographs of people, facial recognition data, names, addresses, passwords, employment history and records of when they had accessed secure areas.

The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.

Suprema is ihe security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. BioStar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings. Last month, Suprema announced its BioStar 2 platform was integrated into another access control system, AEOS. AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police.

The Israeli security researchers Noam Rotem and Ran Locar working with vpnMentor,a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks and then use these blocks to find holes in companies’ systems that could potentially lead to data breaches.

The researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

The researchers then found they had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.

They were able to access data from co-working organisations in the US and Indonesia, a gym chain in India and Sri Lanka, a medicine supplier in the United Kingdom, and a car parking space developer in Finland, among others. The sheer scale of the breach is alarming because the service is in 1.5m locations across the world and because, unlike passwords being leaked, when fingerprints are leaked, you can’t change your fingerprint.

Supply chain vulnerabilities, where a company uses a third-party company for a service that doesn’t have appropriate security, was common but often some of the vulnerabilities discovered were with Fortune 500 companies. 

Rotem said he contacts around three or four companies per week with similar issues. “Mistakes happen, and the real test is how you handle them,” Rotem said. “If you have a security team that can respond quickly and efficiently it’s good enough. If you have a security team that will send a legal team to threaten you, well, it’s less efficient.....this happens quite a lot. It’s unpleasant for someone to point out you have a vulnerability or weakness. Some people take it as an opportunity to fix it and some people are offended by it for some reason.”

Guardian:      BBC:       vpMentor:

You Might Also Read:

GDPR Requires Better Methods Of Authentication:

Your Next Bank Card is a Finger-Scanner:


 

« US Cyber Attack Disabled Iran’s Ability To Target Shipping
Cyber Weapons Could Create Devastation Comparable To A Nuclear Strike »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cortado Mobile Solutions

Cortado Mobile Solutions

Cortado Mobile Solutions is the manufacturer of the mobile device management solution Cortado MDM.

World Wide Technology (WWT)

World Wide Technology (WWT)

WWT is a technology solution provider in the areas of big data, collaboration, computing and cloud, mobility, networking, security and storage.

Silverfort

Silverfort

Silverfort introduces the first security platform enabling adaptive authentication and identity theft prevention for sensitive user, device and resource throughout the entire organization.

miniOrange

miniOrange

miniOrange is a cloud and on-premise based identity and access management (IAM) solution provider.

Maximus Consulting (MX)

Maximus Consulting (MX)

Maximus designs and delivers corporate-wide information security management system with our full-time IRCA Accredited consulting team.

Vilnius Tech Park

Vilnius Tech Park

The region‘s most complex and integrated ICT hub, Vilnius Tech Park aims to attract and unite innovative talent from big data, cyber security, smart solutions, fintech and digital design.

Cyber Security Cloud (CSC)

Cyber Security Cloud (CSC)

Cyber Security Cloud provides web application security services worldwide using world's leading cyber threat intelligence and AI technology.

Ensighten

Ensighten

Ensighten is a leader in Website Security & Privacy Compliance. Protect your website from malicious attacks, monitor & detect vulnerabilities, protect consumer data.

ISARR

ISARR

The ISARR software platform - your bespoke Risk, Resilience & Security Management solution. Simple, cost effective and adaptable, now and into the future.

Trail of Bits

Trail of Bits

Trail of Bits combine high-end security research with a real-world attacker mentality to reduce risk and fortify code.

Securix

Securix

SECURIX AG delivers holistic IT security solutions that are tailored to the specific challenges and requirements of your company.

Veriti

Veriti

Veriti is a unified security posture management platform that integrates with your security solutions and proactively identifies and remediates potential risks and misconfigurations.

Anura

Anura

The world’s most accurate ad fraud solution protects your web assets by eliminating bots, malware and human fraud, ensuring your content is seen by real people.

Downdetector

Downdetector

Downdetector helps people all over the world understand disruptions to vital services such as the internet, social media, web hosting platforms, banks, games, entertainment, and more.

Post-Quantum Cryptography Alliance (PQCA)

Post-Quantum Cryptography Alliance (PQCA)

The alliance seeks to address cryptographic security challenges posed by quantum computing by producing high-assurance software implementations of standardized algorithms.

Seiber

Seiber

Seiber are a UK based Cyber Security company who provide consultancy and training services. Our objective is to stop bad things happening to good people.