Biometrics Hack Puts Millions at Risk

Date: 2019-08-30
Author: Anders Adolfsson, Technical Consultant

Next >> Hacked through Keyboard Sounds
Previous << The big reveal vSECCMS 5.6 is here

Perhaps our Paul Foley said it best in his "Biometrics and 2FA" blog in May: "One set of fingerprints. One set of retinas. That's all we have." If compromised, these bits of data cannot simply be exchanged for something else.

That very issue is currently haunting Suprema's customers and their users, particularly those whose fingerprints were accessed. Suprema, the security company for Biostar 2, a web-based biometrics lock system that centrally stores and uses fingerprints and facial recognition biometrics that workers then use to access facilities such as office buildings and warehouses. It seems this sensitive data stored by Suprema could be accessed by nearly anyone with a little hacking savvy. That means that private data for more than 1 million people was potentially compromised, giving open access to their facial recognition information, fingerprints, passwords and usernames, as well as other personal information.

Suprema is used by a variety of high-level organizations - both public and private - across the UK and beyond, including defense contractors, financial institutions and even police. When Suprema announced they'd integrated Biostar 2 with the AEOS access control system, some diligent Israeli hackers-for-good noticed they could access the Biostar 2 database easily, and that much of the information was not encrypted.

Their break into the system allowed them access to nearly 30 million records. If someone with mal intent had found the security flaw, they could have used the fingerprints to gain access to sensitive locations storing highly classified data

The hackers, who published a paper on their discoveries on vpnMentor, noted they could access data from the US, Indonesia, India, Pakistan, Finland and the UK.

Versasec Support

Versasec customers with an existing support and maintenance contract can access the Versasec Support Portal, offering extensive professional support and maintenance services. The Versasec Support Portal offers a variety of services, allowing for customers and any site visitor to communicate directly with support engineers.

Support

Company Blog

Our blog addresses the latest security trends and stories and how identity and access management is playing a larger role in keeping corporate data safe and brand reputations intact. To learn more, bookmark our blog! [more]