Biometric records of more than one million people, in addition to other sensitive details, are exposed to any user’s reach in an unsecured database, web application security experts report. According to reports, the company responsible for this database works closely with British police officers, banking institutions and military contractors.
Suprema, the company involved in the incident, is responsible for Biostar 2, a network-based biometric control access system that allows centralized control for access to critical facilities, such as warehouses or offices. This system uses fingerprints and facial recognition to identify people authorized to access certain facilities.
In turn, the Biostar system is integrated with AEOS, another access control system employed by thousands of organizations in almost a hundred countries; the most prominent clients of these services include banks, governments and institutions of order and national security.
Noam Rotem and Ran Loca, web application security experts, are operating a port scanning project to detect similar IP address sets to find security flaws in organizations’ systems that could lead to a data breach scenario. During this project it was that they discovered the exposed and unencrypted database of Biostar 2; for this, the researchers only had to manipulate the URL search criteria in Elasticsearch.
Web application security experts gained access to more than 27 million records and more than 20 GB of data, including dashboards, fingerprint records, facial recognition data, user photos, login credentials and unencrypted passwords, among other sensitive details. “These details allow you to know which users are registered in the access system, and it is also possible to determine the real-time location of users on the facilities that have this system; it’s even possible to modify some data and add new users,” the experts mention.
This is an alarming possibility, as virtually anyone with access to that database could register with the system and access facilities with critical security levels, regardless of whether it is a corporate building or facilities military or security.
Researchers mentioned that it was possible to access data from hundreds of organisations in the U.S., UK, India, Pakistan, among other countries. According to web application security experts, the potential impact of this incident is alarming, as there are more than 1 million locations in the world that have this system. In addition, unlike a password, users cannot change their fingerprints in case of data theft.
Although researchers have tried multiple times to contact the company responsible for the database, it took about a week to respond. Eventually, the flaw was corrected early on Wednesday morning, although the company still makes no comment on the incident.
Specialists from the International Institute of Cyber Security (IICS) mention that these kinds of database vulnerabilities are really common, although discovering them is a tedious process; however, the interest of hackers in accessing sensitive information leads them to find these security flaws.