Biometrics Database Breach Not So Big, Says Suprema

The company behind a database used by banks, police, and defence contractors that was found to have a major security flaw, has downplayed the severity of the breach.

But the security researchers who discovered the vulnerability have stood by their research, and said that they had obtained a large amount of biometric data from the firm in question.

It comes after last week after Israeli security researchers Noam Rotem and Ran Locar, said they were able to access the biometric data located on a publicly accessible database from South Korea-based Suprema, which is responsible for the web-based Biostar 2 biometrics lock system.

Biostar breach

Biostar essentially allows for centralised control for access to secure facilities such as warehouses or office buildings. It uses biometric data such as fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.

Researchers Noam Rotem and Ran Locar said that Biostar had been integrated into another access control system called AEOS.

It seems that AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police.

Rotem and Locar worked with vpnmentor, a service that reviews virtual private network services. They reportedly conducted a side project to scans ports looking for familiar IP blocks, and then used these blocks to find holes in companies’ systems that could potentially lead to data breaches.

But to their surprise, they found Biostar 2’s database was unprotected and mostly unencrypted. This allowed them to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

Worryingly, the researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.

But now the firm in question, Suprema, has downplayed the severity of the breach in a notice on its website.

It said that it had launched an internal investigation and engaged a leading forensics firm, and that “based on their investigation to date, they have confirmed that no further access has occurred and that the scope of potentially affected users is significantly less than recent public speculation.”

Researcher denial

However this has been disputed by one of the researchers involved, after Noam Rotem told BBC News the evidence he had obtained did in fact indicate large amounts of biometric data had been made available online.

The researchers did say that the dispute over how big the leak was could be explained by the fact the researchers did not (for ethical reasons), attempt to download all the fingerprint files.

Rather, they took “hundreds” of samples of data, said Rotem told the BBC.

And these appeared to encode fingerprint patterns from a random selection of accounts in the Biostar 2 dataset.

The researchers then used Suprema’s software to convert about half a dozen examples into visible fingerprint patterns.

From this, they estimated the dataset contained “at least over a million” fingerprint patterns in total.

“We have evidence that biometric data was leaked,” Rotem told BBC News. “We did not download everything, because it would be unethical.”

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

BT Identifies 2,000 Potential Cyberattacks Signals Every Second

Level of cyberthreats revealed, after BT says it spots 2,000 signals of potential cyberattacks every…

2 days ago

CMA Cites Higher Prices Post Vodafone, Three Merger, Demands Changes

The British competition regulator has provisionally found competition concerns over Vodafone’s planned merger with Three…

2 days ago

Microsoft Cuts Hundreds Of Gaming Staff

Post Activision - Microsoft Gaming confirms it will axe 650 employees, after thousands of job…

2 days ago

SpaceX Polaris Dawn Crew Carry Out First Commercial Spacewalk

Billionaire Jared Isaacman and SpaceX’s Sarah Gillis become first non-professional astronauts to carry out risky…

3 days ago

Government To Classify UK Data Centres As Critical Infrastructure

Data centres in the UK are to designated as Critical National Infrastructure (CNI), alongside energy…

3 days ago

Irish Watchdog Launches Inquiry Into Google AI Model

Google's protection of EU users' personal data when training its AI model, is under investigation…

3 days ago