Biometrics Database Used By Banks, Police Contains Major Flaw

A database used by banks, police, and defence contractors has been found to have a major security flaw that has exposed more than a million fingerprints and other sensitive biometric data.

The biometric data was located on a publicly accessible database for a company called Suprema, which is responsible for the web-based Biostar 2 biometrics lock system.

Biostar essentially allows for centralised control for access to secure facilities such as warehouses or office buildings. It uses biometric data such as fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.

Data vulnerability

The Israeli security researchers Noam Rotem and Ran Locar, told the Guardian newspaper that Biostar had been integrated into another access control system called AEOS.

It seems that AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police.

Rotem and Locar last week were working with vpnmentor, a service that reviews virtual private network services. They reportedly conducted a side project to scans ports looking for familiar IP blocks, and then used these blocks to find holes in companies’ systems that could potentially lead to data breaches.

But to their surprise, they found Biostar 2’s database was unprotected and mostly unencrypted. This allowed them to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

Worryingly, the researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff, the Guardian reported.

When worse, Rotem told the Guardian that much of the usernames and passwords were not encrypted.

“We were able to find plain-text passwords of administrator accounts,” he reportedly said. “The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even.”

“We [were] able to change data and add new users,” he added, which means they could have manipulated records of an existing user, add their own fingerprints, and then to access any building the user had access to.

Responsible disclosure

It is reported that the researchers made multiple attempts to contact Suprema before taking their research paper to the Guardian late last week.

Suprema’s head of marketing, Andy Ahn, however told the Guardian the company had taken an “in-depth evaluation” of the information provided by vpnmentor and would inform customers if there was a threat.

“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn reportedly said.

Expert views

Security experts said this case demonstrated the high level of care needed when setting up access to databases that can be remotely accessed.

“We continue to see many instances of administrators making errors in securing databases whereby they are either publicly accessible directly, or through trivial means,” said Javvad Malik, security awareness advocate at KnowBe4.

“It highlights the dire need not only for assurance controls to validate the security of databases, but also for a security culture to be embedded throughout organisations so that every developer, administrator, and user is aware of their security responsibilities and desired outcomes,” said Malik.

“Breaches like this also cast doubt over the capabilities of governments and police departments to maintain the integrity of large nationwide databases of biometrics, including facial recognition technology,” he added. “If these databases continue to be so poorly secured, it won’t be long till the criminals find creative ways to abuse the data.”

Another expert agreed that criminals would be interested in this kind of flaw.

“Cybercriminal operations thrive off these kinds of breaches: sensitive stolen data can be sold online and exploited in all sorts of subsequent campaigns,” said Corin Imai, senior security advisor at DomainTools.

“The news of this database being left exposed is particularly worrisome for a number of factors, the first of which being that fingerprints and facial recognition information, unlike passwords, cannot be reset, and are becoming more and more commonly used by organisations as well as government agencies and law enforcement,” said Imai.

“Complex socially engineered phishing operations could stem from such a breach, therefore people potentially affected should be weary of any email they receive that requests them to reset their credentials or to provide any kind of authentication,” he warned.

Another expert also warned that a simple password reset would not cut it.

“The problem with this database exposure is the fact that people affected won’t be safe by just resetting the password to their online accounts,” said Paul Edon, senior director technical sales and services (EMEA) at Tripwire.

“The eventuality of fingerprint and facial recognition information compromise is what holds back biometrics authentication from substituting passwords entirely: once criminals access databases of fingerprint data, there is no way for users to reset their credentials,” Edon said.

Edon advised that the best way to protect online identities is to use multifactor authentication, so that even when biometrics are compromised, there is another layer of knowledge-based security. This should be coupled with the use of unique passwords on every website.

Another expert said it was a schoolboy error to leave admin passwords unencrypted.

“Leaving passwords, including admin based passwords, unencrypted in 2019 is a schoolboy error,” said Jake Moore, cybersecurity specialist at ESET. “Stories like this have resurfaced time and time again whilst companies of all sizes and stature are getting caught out without following simple security check-ups.”

“It’s worrying to think that our data is out there not fully protected and that there is a chance we are losing control of it,” said Moore. “The introduction of GDPR was aimed to reduce issues like this, but it’s worth stating that to lower the risks to ourselves and our personal data, we all must up our own personal cybersecurity.”

He advised the use of password managers and two-factor authentication.

Do you know all about security? Try our quiz!