Major Breach Compromises Biometric Data from Biostar 2
- September 30, 2019
- Hiba Sulaiman
It is not the first time that biometric data has been breached. But a major breach has compromised facial recognition records, fingerprints, log data and personal information that was found on a publicly accessible database.
Biostar 2 Biometric Breach
Biostar 2 biometrics lock system is a tool that uses fingerprints and facial recognition to identify people attempting to gain access to buildings. There are speculations that actual fingerprints and facial recognition records for millions of users have been exposed. The issue with biometric data is that it cannot be changed. Once it is breached, data is compromised.
The OPM Breach – 2015
A similar incident took place in April 2015, where the Office of Personnel Management (OPM) breach also affected 20 million people who went through US government background checks, since Chinese hackers had gained access to civilian workforce data. This depicts that breaches are common – in fact, the ratio has increased over the passage of time.
Issues in the Biometrics Data
This recent breach news has added to the breach events for the past few years. A Wall Street Journal feature also claimed, ‘biometrics have their own issues that might be worse than passwords’. When biometrics are stored in a centralized database, it makes the data security vulnerable.
Biostar 2 Integration with AEOS
However, last month Suprema also announced Biostar 2 was integrated into another access control system – AEOS. AEOS is being used by over 5700 organizations spread over 83 countries, including government, banks and the UK Police. It is designed to adapt to ever-changing needs for any application of physical access control. It enables an organization to focus on their core business and improve performance and productivity.
Researchers Located the Breach in Biostar 2
Noam Rotem and Ran Locar are Israeli security researchers that work with vpnMentor a service that reviews virtual private network services. It is mostly used to run a side project to scan ports looking for familiar IP blocks. The researchers then use these blocks to find loopholes in companies’ systems that could lead to data breaches. Researchers found Biostar’s data unprotected and unencrypted. They had access to more than 27.8 million records and 23 gigabytes data including dashboards, fingerprint data, facial recognition data, unencrypted usernames and passwords, and other personal details of staff.
Looking for Better Data Security
However, the researchers said the scale of breach was alarming as the service is in 1.5 million locations around the world and when fingerprints are leaked, they cannot be changed. The researchers added, ‘Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes’. They also stated that they made multiple attempts to contact suprema before taking the news to the Guardian. Although the vulnerability was closed, yet they did not hear again from the security testing company. The current biometric database is still vulnerable and organizations are looking for a more secure platform to share people’s personal data.