[BreachExchange] New Data Breach Has Exposed Millions Of Fingerprint And Facial Recognition Records: Report

Destry Winant destry at riskbasedsecurity.com
Wed Aug 14 10:24:39 EDT 2019


It has been coming for some time, but now the major breach of a
biometric database has actually been reported—facial recognition
records, fingerprints, log data and personal information has all been
found on "a publicly accessible database." The damage is not yet
clear, but the report claims that actual fingerprints and facial
recognition records for millions of people have been exposed.

The issue with biometric data being stored in this way is that, unlike
usernames and passwords, it cannot be changed. Once it’s compromised,
it’s compromised. And for that reason this breach report will sound
all kinds of alarms.

The report published by security researches Noam Rotem and Ran Loca at
Vpnmentor relates to Suprema, a company describing itself as a "global
Powerhouse in biometrics, security and identity solutions," with a
product range that "includes biometric access control systems, time
and attendance solutions, fingerprint live scanners, mobile
authentication solutions and embedded fingerprint modules."

The news of the breach was first published by Wednesday’s Guardian
newspaper in the U.K., which highlighted the use of Suprema solutions
by the "Metropolitan Police, defence contractors and banks." The
breach, though, is international, with Suprema's Biostar 2 biometric
identity SDK integrated into the AEOS access control system "used by
5,700 organisations in 83 countries, including governments, banks and
the police."

Rotem and Loca found the breach by scanning ports for "familiar IP
blocks," threads they would then follow looking for public facing
datasets, breaches in other words. The motherland for such research is
either sensitive data or large-scale companies. In this instance, they
appear to have found both combined. Almost 28 million records across
more than 23 gigabytes of data—records that include "fingerprint data,
facial recognition data, face photos of users, unencrypted usernames
and passwords, logs of facility access, security levels and clearance,
and personal details of staff."

Highly sensitive data was left unencrypted, including (most alarmingly
of all) usernames and passwords. "We were able to find plain-text
passwords of administrator accounts,” Rotem told the Guardian. "The
access allows first of all seeing millions of users are using this
system to access different locations and see in real time which user
enters which facility or which room in each facility." The researchers
were even "able to change data and add new users."

The really serious implications here are twofold. First, the
manipulation of access control systems for secure sites—editing
accounts, changing logs, removing or adding entries, even changing
user data. Second, and even more of an issue, the access to actual
biometric data that (obviously) cannot be changed. To lose a password
and username is one thing, to have fingerprints (which cannot be
changed) stolen is quite beyond belief.

According to the researchers, "instead of saving a hash of the
fingerprint (that can’t be reverse-engineered) they are saving
people’s actual fingerprints that can be copied for malicious

The researchers told the Guardian they had made "multiple attempts" to
contact Suprema before disclosing their findings. The vulnerability
has been shut down and a Suprema spokesperson told the Guardian that
company had launched an "in-depth" evaluation of the report. "If there
has been any definite threat on our products and/or services, we will
take immediate actions and make appropriate announcements to protect
our customers’ valuable businesses and assets."

Suprema has been approached for any comments on this story.

Biometric security is very much in the news these days, and while many
of those headlines have focused on AI-related technologies like facial
recognition, more biometric security still relies on fingerprints than
anything new. And there is little concern expressed over that level of
security for access control or immigration. But the risk with the
growing levels of biometric data has always been theft, and we have
not yet analyzed and understood the ways in which such stolen data
might be used. This despite reports of spoofing smartphone security or
banking apps.

The final interesting take away from this story doesn’t relate to any
of the specifics, it’s a much more general point. We are currently
giving away biometric information to multiple platforms and providers.
Our phones, our banks, our immigration services, to name but a few.
Every time we do this, our risk increases. At some point the
realization will hit that we need some kind of unified platform where
we limit the numbers of parties who actually hold such data, with
others accessing those trusted holders on an “as a service” basis.

Until then, this will not be the last news item of this kind.

More information about the BreachExchange mailing list