LONDON–While passwords can be changed following a breach, fingerprints cannot, which is why so many are concerned here over news that the fingerprints of more than one-million people were discovered on a publicly accessible database for a company used by the likes of the U.K. Metropolitan Police, defense contractors and banks.
Also found to be publicly available: facial recognition information, unencrypted usernames and passwords, and personal information of employees, according to the Guardian. The information that was found to be available included that of organizations in the United States and Indonesia.
The Guardian reported the Israeli security researchers Noam Rotem and Ran Locar have been working with vpnmentor, a service that reviews virtual private network services, and also been running a side project to scan ports looking for familiar IP blocks, and then use these blocks to find holes in companies’ systems that could potentially lead to data breaches, according to the Guardian.
Access to Buildings
In the process, Rotem and Locar discovered they could access the data from Supreme, a security company responsible for the web-based Biostar 2 biometrics lock system that allows centralized control for access to secure facilities such warehouses or office buildings, according to the Guaridan. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.
Last month, reported the Guardian, Suprema announced its Biostar 2 platform was integrated into another access control system – AEOS. AEOS is used by 5,700 organizations in 83 countries, including governments, banks and the U.K. Metropolitan police.
In their search, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data, according to the Guardian.
Access to 23 Gigabytes of Data
“The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff,” the report stated.
Much of the usernames and passwords were not encrypted, Rotem told the Guardian. “We were able to find plain-text passwords of administrator accounts,” he said. “The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even. “We [were] able to change data and add new users.”
As the Guardian noted, that would mean that he could edit an existing user’s account and add his own fingerprint and then be able to access whatever building that user is authorized to access, or he could just add himself as a user with his photo and fingerprints.
‘Sheer Scale is Alarming’
“The researchers said the sheer scale of the breach was alarming because the service is in 1.5m locations across the world and because, unlike passwords being leaked, when fingerprints are leaked, you can’t change your fingerprint,” the Guardian noted.
“Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes,” the researchers said in the paper.
The vulnerability has reportedly been closed.