Researchers have found a trove of biometric data left exposed online by a global biometric security company.
A security tool named Biostar 2, used by thousands of companies worldwide, including the UK's Metropolitan Police and several banks, allowed access to data that include more than a million fingerprints, said security firm VPNMentor.
Israeli security researchers Noam Rotem and Ran Locar, promoters of VPNMentor, found the unprotected database in the web-based biometric security smart lock platform. It is built by Suprema, one of the world’s top 50 security manufacturers by scale.
Not only was the Biostar 2 database unprotected, but its sensitive contents were largely unencrypted, the report said. In total, 23 GB data including fingerprints, facial recognition details, face photos of users, unencrypted usernames, passwords and personal details of employees were open for anyone to access and edit, according to the report.
The scale and the nature of the possible breach is alarming. Biostar 2 reportedly has the highest share in biometric access control market in the EMEA region. Suprema recently tied up with global security and verifications major Nedap, welding BioStar 2 into their AEOS access control system.
"It's one thing having your password hacked – passwords can be changed and replaced. But what happens when your biometrics are hacked? You can’t change your voice; you can’t replace your eyes and you can’t reset your fingerprints. Those things are constant, permanent and contain genetic data that is unique to you," said Etienne Greeff, CTO and co-founder of SecureData.
The vulnerability has been and the company has said it was addressing the issue, reported The Guardian.
Suprema’s product brochure has tall claims about its system. "Integrated with BioStar 2, this system safely stores all information about each user including the user’s name, ID, PIN, access rights and fingerprint data by storing it on a single device."
"The major issue in this particular security incident is that data was seemingly not protected properly in the first place. The biometric data, including fingerprints, weren’t hashed, which would have protected them from being reverse engineered. On top of that, the data was stored in a publicly accessible cloud database. It’s atrocious security practice," said Greeff.
Breaches often happen through a security failure at a supply chain partner, three or four levels removed from your own organisation, pointed out Jeremy Hendy, CEO of Skurio.
"In this example, the compromise happened at Korean biometric technology firm Suprema, whose technology is used by Nedas, who in turn provide access control systems to thousands of different organisations including banks, police and defence firms. In today’s complex digital ecosystems, data about your customers and staff potentially flows through thousands of different technologies – many of which you don’t even know about," he said.
The disclosure on Biostar comes at a time when organisations and services are increasingly moving towards multi-factor authentication including federated ID and biometrics. A spike in the use of malware designed to capture user passwords by harvesting digital data has also pushed organisations towards biometrics.
Individual users are also slowly migrating to mobile biometric sensors, such as Apple Touch ID and Face ID, Android fingerprint sensors and Windows Hello. The latest to join the bandwagon is WhatsApp, which has implemented a fingerprint authentication option in the latest Android beta version.
"There really is no limit to what we can do to protect our data and this will no doubt knock-on to other app protection where biometrics enhance the security from within the app itself. We already see it in banking apps and password managers, so this is just the next step," said Jake Moore, cyber-security specialist at ESET.
"There’s a lot of excitement around the use of face recognition systems. While the benefits are endless, businesses must also consider the risks that arise from deploying face recognition systems as they need to take appropriate steps to comply with the law," said Tamara Quinn, partner at law firm Osborne Clarke.
GDPR mandates strict regulations on the use of biometrics. Businesses have to request the consent from every person scanned and prove that these individuals were fully informed and they were not coerced or lured into giving it.
"As well as making sure that their systems comply with strict legal requirements, companies should be looking at their contracts with external suppliers of these systems, to make sure that they have strong legal protections in place," she added.