Biometrics Hack Puts Millions at Risk
Author: Anders Adolfsson, Technical Consultant
Perhaps our Paul Foley said it best in his "Biometrics and 2FA" blog in May: "One set of fingerprints. One set of retinas. That's all we have." If compromised, these bits of data cannot simply be exchanged for something else.
That very issue is currently haunting Suprema's customers and their users, particularly those whose fingerprints were accessed. Suprema, the security company for Biostar 2, a web-based biometrics lock system that centrally stores and uses fingerprints and facial recognition biometrics that workers then use to access facilities such as office buildings and warehouses. It seems this sensitive data stored by Suprema could be accessed by nearly anyone with a little hacking savvy. That means that private data for more than 1 million people was potentially compromised, giving open access to their facial recognition information, fingerprints, passwords and usernames, as well as other personal information.
Suprema is used by a variety of high-level organizations - both public and private - across the UK and beyond, including defense contractors, financial institutions and even police. When Suprema announced they'd integrated Biostar 2 with the AEOS access control system, some diligent Israeli hackers-for-good noticed they could access the Biostar 2 database easily, and that much of the information was not encrypted.
Their break into the system allowed them access to nearly 30 million records. If someone with mal intent had found the security flaw, they could have used the fingerprints to gain access to sensitive locations storing highly classified data
The hackers, who published a paper on their discoveries on vpnMentor, noted they could access data from the US, Indonesia, India, Pakistan, Finland and the UK.