Biometric Security Vendor Exposes Fingerprints, Face DataResearchers Find Open Database for Suprema's BioStar 2
A South Korean company that makes a biometric access control platform exposed fingerprint records, facial recognition data and personal information after failing to secure an Elasticsearch database, security researchers say.
Suprema, which develops an access control platform called BioStar 2, left 23GB of data, including 27.8 million records, open on the internet, according to vpnMentor, a VPN reviews website. The platform can be used to manage access to doors and elevators using devices such as smart cards and fingerprint readers.
The database was found by Noam Rotem and Ran Locar, both Israel-based computer security researchers who have a notable record of finding sensitive exposed data.
Rotem and Locar were able to access the Elasticsearch database through a web browser and were able to “manipulate the URL search criteria into exposing huge amounts of data.” Also, there was an insecure Kibana interface – a tool for visualizing databases - running on top of Elasticsearch.
vpnMentor published a video showing the kinds of information exposed.
The data belongs to variety of businesses in at least 10 countries, including the U.S., Indonesia, India, Sri Lanka, U.K. UAE, Finland, Turkey, Japan and Germany. vpnMentor named some of the business affected, including co-working spaces, medical product vendors, a plastics recycling firm and a staffing agency.
The researchers report that they had difficulty alerting Suprema to the data exposure, including a German office for the company, which hung up the phone. They eventually reached a Suprema office in France. Suprema was notified on Aug. 7, but the exposure wasn’t fixed until Tuesday.
In a statement provided to Information Security Media Group, Suprema says that it’s “aware of the reports in the press regarding its BioStar 2 platform and the alleged unauthorized access to data involving vpnMentor. The company takes any report of this nature very seriously. It is investigating the allegations in the press reports and will liaise with any appropriate third parties and/or individuals as necessary. At this stage, it cannot make any further comment but will, if appropriate, issue a further press statement in due course, including corrections of any erroneous assertions in the reports to date."
Rotem and Locar found a rich data trove that lacked many basic security protections, vpnMentor says. The Elasticsearch database and Kibana interface should have been at minimum password protected and only allowed whitelisted IPs, according to the video.
The database included personal information for employees and unencrypted usernames and passwords. It also included fingerprint data, facial recognition data and photos of faces, records of building entries and exists, employee records, security clearances and mobile device information, vpnMentor reports.
The fingerprint data wasn’t hashed, which means it could be copied and used for malicious purposes, vpnMentor says. Client administrative panels, dashboards, back-end controls and permissions were visible as well.
“With this leak, criminal hackers have complete access to admin accounts on BioStar 2,” vpnMentor says. “They can use this to take over a high-level account with complete user permissions and security clearances, and make changes to the security settings in an entire network.”
Attackers would potentially be able to use the exposed information to change user permissions and lock people out of areas in buildings, vpnMentor says. Also, it claims it would be possible to create new user accounts leveraging the face and fingerprint data to gain access to secure areas.
Impact: To Be Determined
The full scope of the exposure will likely play out over the next few days, including how many people and organizations are affected.
Suprema says it has the most market share of any biometric access control vendor in Europe, the Middle East and Africa. That means the General Data Protection Regulation, the European Union's strict data law, would cover some of the company’s customers.
Under GDPR, companies can be fined &euro 20 million or up to four percent of annual revenue, which ever is greater, for severe breaches.
The data exposure may also raise eyebrows in the U.S., where some lawmakers have called for stronger privacy and security legislation in an effort to reduce the number of data breaches (see: Democratic Senators Introduce Data Security Legislation).