Biometrics Database Breach Not So Big, Says Suprema

The company behind a database used by banks, police, and defence contractors that was found to have a major security flaw, has downplayed the severity of the breach.

But the security researchers who discovered the vulnerability have stood by their research, and said that they had obtained a large amount of biometric data from the firm in question.

It comes after last week after Israeli security researchers Noam Rotem and Ran Locar, said they were able to access the biometric data located on a publicly accessible database from South Korea-based Suprema, which is responsible for the web-based Biostar 2 biometrics lock system.

Biostar breach

Biostar essentially allows for centralised control for access to secure facilities such as warehouses or office buildings. It uses biometric data such as fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.

Researchers Noam Rotem and Ran Locar said that Biostar had been integrated into another access control system called AEOS.

It seems that AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police.

Rotem and Locar worked with vpnmentor, a service that reviews virtual private network services. They reportedly conducted a side project to scans ports looking for familiar IP blocks, and then used these blocks to find holes in companies’ systems that could potentially lead to data breaches.

But to their surprise, they found Biostar 2’s database was unprotected and mostly unencrypted. This allowed them to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

Worryingly, the researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.

But now the firm in question, Suprema, has downplayed the severity of the breach in a notice on its website.

It said that it had launched an internal investigation and engaged a leading forensics firm, and that “based on their investigation to date, they have confirmed that no further access has occurred and that the scope of potentially affected users is significantly less than recent public speculation.”

Researcher denial

However this has been disputed by one of the researchers involved, after Noam Rotem told BBC News the evidence he had obtained did in fact indicate large amounts of biometric data had been made available online.

The researchers did say that the dispute over how big the leak was could be explained by the fact the researchers did not (for ethical reasons), attempt to download all the fingerprint files.

Rather, they took “hundreds” of samples of data, said Rotem told the BBC.

And these appeared to encode fingerprint patterns from a random selection of accounts in the Biostar 2 dataset.

The researchers then used Suprema’s software to convert about half a dozen examples into visible fingerprint patterns.

From this, they estimated the dataset contained “at least over a million” fingerprint patterns in total.

“We have evidence that biometric data was leaked,” Rotem told BBC News. “We did not download everything, because it would be unethical.”

Do you know all about security? Try our quiz!

Tom Jowitt @TJowitt

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Recent Posts

Apple Worker Texts Himself Customer’s Intimate Photo

Naked selfie warning, as Californian woman says she will take legal action against former Apple staffer

12 hours ago

Smartphone App Can Quickly Locate Drone Pilots

Smartphone app can “remotely identify airborne drones” as well as pinpointing the location of its pilot

12 hours ago

Google Readies Bank Accounts For US Customers

Search engine giant is planning a banking move, in a development that is sure to trigger regulatory investigations

13 hours ago

Facebook Removes 11.6m Child Abuse Posts

Depressing stats sees social network remove 11.6 million pieces of child abuse content in three month period

14 hours ago

Icahn Takes Stake in HP, Urges Xerox Merger – Report

Activist investor Carl Icahn acquires $1.2 billion stake in HP and reportedly urges merger with Xerox

15 hours ago

Making Sense of Big Data

Data is your business’s most precious commodity. Finding value and actionable insight in Big Data are vital components of all…

16 hours ago