Biometric security firm used by UK police exposed 1m fingerprints

14 Aug 2019

Image: © wittybear/Stock.adobe.com

Security researchers discovered that fingerprints, unencrypted usernames and passwords, and personal information of employees were discovered on a publicly accessible database.

This morning (14 August), The Guardian reported a major breach in a biometrics system used by banks, UK police and defence firms.

Facial recognition information, unencrypted usernames and passwords, personal information of employees, and fingerprints belonging to more than 1m people were discovered on a publicly accessible database.

UK police, defence contractors and banks are clients of Suprema, the security company responsible for the web-based BioStar 2 biometrics lock system. This system uses fingerprints and facial recognition to identify people attempting to gain access to buildings.

Suprema, which is one of the world’s top 50 security manufacturers, recently partnered with Nedap to integrate BioStar 2 into its AEOS access control system. AEOS is used by over 5,700 organisations in 83 countries, including the UK Metropolitan police, governments, banks and small businesses.

Vulnerabilities

Last week, Israeli security researchers Noam Rotem and Ran Locar discovered that this database was unprotected and mostly unencrypted.

The security researchers were able to search the database and gain access to data, discovering at least 27.8m records and 23GB of data.

Rotem told The Guardian: “We were able to find plain-text passwords of administrator accounts.” This meant that the researchers could change data and add new users. On top of this, Rotem and Locar could see which buildings users had entered and, in some cases, which rooms.

Rotem and Locar published a paper on the discovery on VpnMentor, which lays out a more detailed timeline of events.

Response

The researchers said that they made multiple attempts to contact Suprema before reaching out to The Guardian. Early today the vulnerability was closed, but Suprema still had not contacted Rotem and Locar.

Suprema’s head of marketing, Andy Ahn, told The Guardian: “If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets.”

Rotem said that this isn’t an issue that’s unique to Suprema, and that he contacts three or four companies each week to notify them of similar flaws.

The researchers who discovered this vulnerability advised BioStar 2 and Suprema to secure its servers, implement proper access rules on its databases, and not to leave a system that doesn’t require authentication open to the internet.

Clients who used BioStar 2 were also advised to change their passwords immediately, and notify their employees that personal passwords should also be changed.

The Verge noted that the breach could have implications for employees enrolled in the system, as the personal information exposed could be used to commit identity fraud.

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com