A Major Breach In Biometrics Security Database

Uploaded on 2019-09-02 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Over a million fingerprints and other sensitive data have been shown to be exposed online by a biometric security firm vpnMentor who disclosed that they had found the highly sensitive data on a security tool. 

Researchers working with vpnMentor say they accessed data from a security tool called BioStar 2 was first discovered on 5th August and the breach has now been closed. 

The leaked data includes detailed personal information of employees and unencrypted usernames and passwords, giving hackers access to user accounts and permissions at facilities using BioStar 2. BioStar 2 is used by thousands of companies worldwide, including the UK's Metropolitan Police, to control access to specific parts of secure facilities. Malicious agents could use this to hack into secure facilities and manipulate their security protocols for criminal activities. 

This is a huge leak that endangers both the businesses and organisations involved, as well as their employees. 

Fingerprints, facial recognition and other personal information from Biostar 2 discovered on publicly accessible database. As well as fingerprint records, the researchers say they found photographs of people, facial recognition data, names, addresses, passwords, employment history and records of when they had accessed secure areas.

The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.

Suprema is ihe security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. BioStar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings. Last month, Suprema announced its BioStar 2 platform was integrated into another access control system, AEOS. AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police.

The Israeli security researchers Noam Rotem and Ran Locar working with vpnMentor,a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks and then use these blocks to find holes in companies’ systems that could potentially lead to data breaches.

The researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

The researchers then found they had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.

They were able to access data from co-working organisations in the US and Indonesia, a gym chain in India and Sri Lanka, a medicine supplier in the United Kingdom, and a car parking space developer in Finland, among others. The sheer scale of the breach is alarming because the service is in 1.5m locations across the world and because, unlike passwords being leaked, when fingerprints are leaked, you can’t change your fingerprint.

Supply chain vulnerabilities, where a company uses a third-party company for a service that doesn’t have appropriate security, was common but often some of the vulnerabilities discovered were with Fortune 500 companies. 

Rotem said he contacts around three or four companies per week with similar issues. “Mistakes happen, and the real test is how you handle them,” Rotem said. “If you have a security team that can respond quickly and efficiently it’s good enough. If you have a security team that will send a legal team to threaten you, well, it’s less efficient.....this happens quite a lot. It’s unpleasant for someone to point out you have a vulnerability or weakness. Some people take it as an opportunity to fix it and some people are offended by it for some reason.”

Guardian:      BBC:       vpMentor:

You Might Also Read:

GDPR Requires Better Methods Of Authentication:

Your Next Bank Card is a Finger-Scanner:


 

« US Cyber Attack Disabled Iran’s Ability To Target Shipping
Cyber Weapons Could Create Devastation Comparable To A Nuclear Strike »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Exodus Intelligence

Exodus Intelligence

Exodus Intelligence are an industry leading provider of exclusive zero-day vulnerability intelligence, exploits, defensive guidance, and vulnerability research trends.

ISACA Conferences

ISACA Conferences

ISACA is dedicated to offering the most dynamic and inclusive conferences to keep you abreast of the latest advances in IT and Information Security.

Wooxo

Wooxo

Wooxo provides business security and continuity solutions to protect business data for organisation of all sizes.

Galvanize

Galvanize

Galvanize is a leading provider of award-winning, cloud-based security, risk management, compliance, and audit software for some of the world’s largest organizations.

TeachPrivacy

TeachPrivacy

TeachPrivacy provides computer-based privacy and data security training that is engaging, memorable, and understandable.

TechGuard Security

TechGuard Security

TechGuard Security was founded to address national cyber defense initiatives and US critical infrastructure security.

Asoftnet

Asoftnet

Asoftnet are specialists in IT security, IT forensics, IT service, websites, applications and mobile solutions.

Kippeo Technologies

Kippeo Technologies

Kippeo is a security systems integrator providing innovative solutions that look at all the parameters and connect all the dots.

Savanti Consulting

Savanti Consulting

Savanti provides practitioner-led cyber security services tailored to meet each organisation’s unique requirements.

Cyberstarts

Cyberstarts

Cyberstarts’ vision is to become the leading platform for amazing teams of entrepreneurs to solve the next big problems of the cybersecurity world.

Keeper Security

Keeper Security

Keeper is a leading enterprise password manager and cybersecurity platform for preventing password-related data breaches and cyberthreats.

CloudWave

CloudWave

CloudWave, the expert in healthcare data security, provides cloud, cybersecurity, and managed services to healthcare organizations.

Concorde Technology Group

Concorde Technology Group

Concorde Technology Group is one of the UK’s leading IT support and services providers, delivering cost-effective and innovative IT solutions to businesses across the country.

Schellman

Schellman

Schellman is a leading provider of attestation and compliance services.

Blue Bastion

Blue Bastion

Don’t give cybercriminals the chance to find weaknesses in your company’s cyber security system. Defend your institution from all attacks from all directions with Blue Bastion.

AuditBoard

AuditBoard

AuditBoard is the leading cloud-based platform transforming audit, risk, ESG, and InfoSec management.