‘Errr yes it was’ security researchers insist, estimating that ‘large amounts of biometrics data’ has been exposed
The company behind a database used by banks, police, and defence contractors that was found to have a major security flaw, has downplayed the severity of the breach.
But the security researchers who discovered the vulnerability have stood by their research, and said that they had obtained a large amount of biometric data from the firm in question.
It comes after last week after Israeli security researchers Noam Rotem and Ran Locar, said they were able to access the biometric data located on a publicly accessible database from South Korea-based Suprema, which is responsible for the web-based Biostar 2 biometrics lock system.
Biostar essentially allows for centralised control for access to secure facilities such as warehouses or office buildings. It uses biometric data such as fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.
Researchers Noam Rotem and Ran Locar said that Biostar had been integrated into another access control system called AEOS.
It seems that AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police.
Rotem and Locar worked with vpnmentor, a service that reviews virtual private network services. They reportedly conducted a side project to scans ports looking for familiar IP blocks, and then used these blocks to find holes in companies’ systems that could potentially lead to data breaches.
But to their surprise, they found Biostar 2’s database was unprotected and mostly unencrypted. This allowed them to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.
Worryingly, the researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
But now the firm in question, Suprema, has downplayed the severity of the breach in a notice on its website.
It said that it had launched an internal investigation and engaged a leading forensics firm, and that “based on their investigation to date, they have confirmed that no further access has occurred and that the scope of potentially affected users is significantly less than recent public speculation.”
However this has been disputed by one of the researchers involved, after Noam Rotem told BBC News the evidence he had obtained did in fact indicate large amounts of biometric data had been made available online.
The researchers did say that the dispute over how big the leak was could be explained by the fact the researchers did not (for ethical reasons), attempt to download all the fingerprint files.
Rather, they took “hundreds” of samples of data, said Rotem told the BBC.
And these appeared to encode fingerprint patterns from a random selection of accounts in the Biostar 2 dataset.
The researchers then used Suprema’s software to convert about half a dozen examples into visible fingerprint patterns.
From this, they estimated the dataset contained “at least over a million” fingerprint patterns in total.
“We have evidence that biometric data was leaked,” Rotem told BBC News. “We did not download everything, because it would be unethical.”
Do you know all about security? Try our quiz!