Over 1 million people have had their fingerprints, facial recognition information, unencrypted usernames and passwords as well as other data, made vulnerable. All this information was publicly available on a database of a company called Suprema, which is used by the UK Metropolitan Police, defense contractors and banks.
Suprema employs the use of Biostar 2 biometrics, a biometrics lock system. The company previously announced that the Biostar 2 was integrated into another access control system called AEOS. This system in turn is used by 5,700 organizations in 83 countries, a lot of them government agencies.
Unfortunately, it was not as secure as it had been initially assumed. Israeli researchers Noam Rotem and Ran Locar discovered a security flaw while they were conducting a routine network scan last week – it appeared that, by simply manipulating the URL search criteria, they were able to access Biostar 2’s database easily and gain access to almost 28 million records and 23GB worth of data.
The data included not only biometric identification but also other types of security clearance information.
“We were able to find plain-text passwords of administrator accounts,” Rotem said. “The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even.”
This was a huge issue from a number of points of view but the worst part was that the security flaw also allowed anyone to change data. They could add new users without anyone being none the wiser and could add their own fingerprint and gain access to any facility that required that type (and not only) of identification.
Rotem and his team have attempted to contact Suprema before going to the press but the company did not go back to them.
” […] we found BioStar 2 generally very uncooperative throughout this process.” They said in their report. “Our team made numerous attempts to contact the company over email, to no avail. Eventually, we decided to reach out to BioStar 2’s offices by phone. Again, the company was largely unresponsive.”
so the only option to let everyone know what was happening, was to make the information public. They published it on vpnmentor and added that they managed in the meantime to access data from a number of organizations in the U.S and Indonesia and medicine supplier from the United Kingdom, among many others.
While Suprema did not respond to the Israeli team, it did release a statement via its head of marketing, Andy Ahn, to The Guardian. Ahn said that they have made an ‘in depth evaluation’ of the information that was given to them and that the customers would be informed if a threat is recorded.
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn added.
The vulnerability has been closed as of August 13th.