Workload and Application Security Blog

Massive Biometric Data Breach Creates Chaos for MSSPs

Written by Virsec | Aug 22, 2019 6:40:48 AM

Channel Futures, IS Buzz News, August 14, 2019, with comments by Willy Leichter

Israeli researchers working for VPNmentor, a VPN review service, discovered a massive leak in a biometrics system broadly used in 1.5 million locations globally. Two researchers at the firm found a flaw in a database belonging to Biostar 2, a biometrics lock system, making its data publicly exposed. Through URL search criteria manipulation, they were able to access 23GB of data, including close to 28 million records. Facial recognition data, fingerprints, security clearance info and passwords were part of these records.

The Compromise Affects One of the Largest Biometric Security Companies

BioStar 2 provides biometric security that verifies user identities via a web-based app built by Suprema. Suprema is one of the largest shares in EMEA biometric access control and is one of the top 50 security manufacturers in the world. But vpnmentor’s two researchers accessed over 1 million fingerprint records and more.

The biometrics system is used around the world, granting access to buildings and online resources to staff and personnel. Organizations using it include the UK police, banks, defense companies and more. The fingerprints of over one million people, along with other biometric information and passwords, are part of the leak. Just last month, the platform had been integrated with the AEOS access system used in 83 countries by 5,700 organizations.

The Breach Was Found by Accident, Not Prioritized by the Managing Company

The two Isreaeli researchers who discovered the leak – Noam Rotem and Ran Locar – found it during a routine network scan. Not only could they access data, the flaw allowed them to also change data and add new users. He could even add his own fingerprint to the system, which would give him access to the same buildings and facilities an original user was allowed to access.

The breach is shocking enough. But perhaps even more surprising is when vpnmentor attempted to notify Suprema of the alarming situation on August 5, even before notifying the media, they got no response. They have tried several times and may still have not received a response. The vulnerability wasn’t closed for more than a week after their being notified, finally being closed on August 13.

Andy Ahn, head of Suprema's marketing, told The Guardian that the company had made an "in-depth evaluation" of vpnmentor's research and would let customers know if there was a threat. He also said, “"If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers' valuable businesses and assets." Despite the attempt at downplaying, clearly there is a threat, namely because it’s not possible to know who else may have gotten a hold of those records while the database was exposed. They don’t even know how long the information was exposed.

Fingerprint Compromises Are Forever

Password leaks are bad enough. But biometric leaks are far worse. Their impact is permanently enduring because except for a James Bond movie, a person’s fingerprints are unchangeable.

As noted above, VPNMentor team reported that it was able to access more than 27.8 million records from a total of 23 gigabytes of data. The exposed data included:

  • Access to client admin panels, dashboards, back-end controls, and permissions
  • Fingerprint data
  • Facial recognition information and images of users
  • Unencrypted usernames, passwords, and user IDs
  • Records of entry and exit to secure areas
  • Employee records including start dates
  • Employee security levels and clearances
  • Personal details, including employees’ home addresses and emails
  • Businesses’ employee structures and hierarchies
  • Mobile device and OS information

This stolen data creates multiple complications for managed security service providers (MSSPs) and their channel partners. These organizations use biometric verification to secure all manner of company resources, from online apps to physical buildings. Now they have no way to know if their biometric data could be in criminal hands. For now, these organizations are advised to triple check every transaction when dealing with customers.

“With all the hype around biometrics and AI, we tend to overlook the basics — we’re entrusting increasingly unchangeable personal data to a network of third parties with little oversight, and few enforceable standards over how priceless personal data is handled,” said Willy Leichter, vice president of marketing at Virsec.

“While GDPR lays out principles for data protection, these need to be swiftly and severely enforced for organizations that are clearly reckless,” said Leichter.

 

Blogs:

Trump Admininistration Debating Encryption Crackdown
Chinese Hackers Linked to Global Telco Attacks
Despite US defenses, Russian hackers are still trying to break in to America’s power grid
Could Russia shut down US electric grids

DHS about electrical grid attacks by Russian agents
Critical infrastructure will have to operate if there’s malware on it or not

Chinese Hacking Group Used Stolen NSA Hacking Tools Ahead of Shadow Brokers’ Leaks

Congressional investigation into Equifax breach finds multiple security failures

White paper: Triton attack

Newsletter: Latest issue