The firm’s flagship Biostar 2 biometrics lock system allows centralised control for access to secure facilities such as warehouses, office buildings and the like, using fingerprints and facial recognition to identify individuals seeking access - in July, the platform was integrated into access control system AEOS, which is used by almost 6,000 organisations in 83 countries, and applies to around 1.5 million locations the world over.
Last week however, Israeli security research firm vpnmentor, which reviews virtual private network services for speed, security, support, and features, found Biostar 2’s database was unprotected and mostly unencrypted, granting them access to almost 28 million personal records and 23 gigabytes of data including admin panels, dashboards, fingerprint data, facial recognition data, users’ headshots, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
It has now published a damning report on the gaping hole in the system’s defences, warning criminals “of all kinds” could use the information for “varied illegal and dangerous activities”.
“Facial recognition and fingerprint information cannot be changed. Once they are stolen, it can’t be undone. The unsecured manner in which Biostar 2 stores this information is worrying, considering its importance, and the fact that Biostar 2 is built by a security company. Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes,” the report states.
It goes on to note the firm’s researchers were even able to change data and add new users, meaning they could edit an existing user’s account, add their own fingerprints, then have access to whatever building the individual is authorised to enter – hackers could thus potentially create entire libraries of bogus fingerprints to enter secure locations without being detected. They would also have access to activity logs, so could delete or alter data to conceal their activities.
The authors also suggest fingerprint data theft is “particularly concerning” given fingerprints are replacing typed passwords on many consumer items, such as smartphones - as most fingerprint scanners on consumer goods are unencrypted, if a hacker can replicate fingerprints, they can gain access to all private information stored on a device, such as messages, photos, and payment methods.
“This leak could have been easily avoided had the makers of Biostar 2 taken basic security precautions. While the information we found could still have made it into the hands of criminal hackers, we suggest Biostar 2 and Suprema secure servers with better protection measures, don’t save the actual fingerprints of users, implement proper access rules on databases and never leave a system that doesn’t require authentication open to the internet, the report concludes.