Biometrics Database Breach Not So Big, Says Suprema

The company behind a database used by banks, police, and defence contractors that was found to have a major security flaw, has downplayed the severity of the breach.

But the security researchers who discovered the vulnerability have stood by their research, and said that they had obtained a large amount of biometric data from the firm in question.

It comes after last week after Israeli security researchers Noam Rotem and Ran Locar, said they were able to access the biometric data located on a publicly accessible database from South Korea-based Suprema, which is responsible for the web-based Biostar 2 biometrics lock system.

Biostar breach

Biostar essentially allows for centralised control for access to secure facilities such as warehouses or office buildings. It uses biometric data such as fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.

Researchers Noam Rotem and Ran Locar said that Biostar had been integrated into another access control system called AEOS.

It seems that AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police.

Rotem and Locar worked with vpnmentor, a service that reviews virtual private network services. They reportedly conducted a side project to scans ports looking for familiar IP blocks, and then used these blocks to find holes in companies’ systems that could potentially lead to data breaches.

But to their surprise, they found Biostar 2’s database was unprotected and mostly unencrypted. This allowed them to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

Worryingly, the researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.

But now the firm in question, Suprema, has downplayed the severity of the breach in a notice on its website.

It said that it had launched an internal investigation and engaged a leading forensics firm, and that “based on their investigation to date, they have confirmed that no further access has occurred and that the scope of potentially affected users is significantly less than recent public speculation.”

Researcher denial

However this has been disputed by one of the researchers involved, after Noam Rotem told BBC News the evidence he had obtained did in fact indicate large amounts of biometric data had been made available online.

The researchers did say that the dispute over how big the leak was could be explained by the fact the researchers did not (for ethical reasons), attempt to download all the fingerprint files.

Rather, they took “hundreds” of samples of data, said Rotem told the BBC.

And these appeared to encode fingerprint patterns from a random selection of accounts in the Biostar 2 dataset.

The researchers then used Suprema’s software to convert about half a dozen examples into visible fingerprint patterns.

From this, they estimated the dataset contained “at least over a million” fingerprint patterns in total.

“We have evidence that biometric data was leaked,” Rotem told BBC News. “We did not download everything, because it would be unethical.”

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

13 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

14 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

15 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

16 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

19 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

20 hours ago