Fingerprint and facial recognition data was available on a publicly accessible database
Nothing surprises me anymore.
Today brought to light very concerning news regarding user security – this time in the form of fingerprint and facial recognition data.
In a report from The Guardian, the fingerprints of over 1 million people, facial recognition information, unencrypted usernames and passwords and personal information of employees was found on a publicly reachable database. The company responsible for it all is Suprema.
Suprema is a security company which created the web-based Biostar 2 bio-metrics lock system. The Biostar 2 bio-metrics lock system allows for people to gain access to buildings using their fingerprints and facial recognition.
What makes the breach even worse is that last month Suprema announced that they were integrating another access control system into their Biostar 2 platform
This new control system is called ‘AEOS’. AEOS is used by 5,700 different organizations in 83 different countries. These organizations included governments, banks, and even the UK Metropolitan police.
The breach was found by Israeli security researchers Noam Rotem and Ran Locar who were working with vpnMentor, a service that reviews virtual private network services.
While running a search last week, the researchers found that Biostar 2’s database was unprotected and unencrypted. The researchers were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.
To be exact, the researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
Rotem stated, “We were able to find plain-text passwords of administrator accounts,” he further stated, “The access allows, first of all, seeing millions of users are using this system to access different locations and see in real-time which user enters which facility or which room in each facility, even.”
He also stated that they could also manipulate and edit an existing user’s account and add his own fingerprint and then be able to access whatever building that user is authorized to access.
We don’t want to bore you with the specifics so if you wish to read more you can do so here.
- Here’s the best tech to buy during a recession
- Facebook joins the list of companies listening to your private messages
- Loot Crate, one of the first nerdy subscription boxes, files for bankruptcy
- Need for Speed Heat looks to capture some of the craziness of the earlier titles