Fingerprint and facial recognition breach leaks records of over 1 million people
What you need to know
- Two Israeli security researchers discovered an unencrypted Biostar 2 database with 23GB worth of data
- Included in the data were fingerprints, facial scans, usernames, passwords, and other personal information of over 1 million people.
- The vulnerability has now been closed and the company is doing an in-depth evaluation of the information.
Last week, Israeli security researchers Noam Rotem and Ran Locar discovered a mostly unencrypted publicly accessible Biostar 2 database online. The database included fingerprints, facial scans, usernames and passwords, and personal information of over 1 million people.
Biostar 2 is a biometrics lock system developed by the security company Suprema that integrates with the AEOS access control system. The AEOS just happens to be used in 83 countries worldwide and 5,700 organizations, including governments, banks, and the UK Metropolitan Police.
Rotem and Locar happened upon this database during a side project with vpnmentor where they scan "ports looking for familiar IP blocks, and then use these blocks to find holes in companies' systems that could potentially lead to data breaches."
After the pair found Biostar 2's database, they were able to search the database and manipulate URLs to gain access to the data.
Speaking to the Guardian, Rotem said most of the usernames and passwords were unencrypted and they were able to also change data and add new users into the system.
What makes this even more dangerous, is the researchers pointed out that the database includes people's fingerprints. That means the fingerprint can be copied and used by others, instead of storing a hash of the fingerprint which cannot be reverse-engineered.
Rotem and Locar made multiple attempts to contact Suprema before sending their paper to the Guardian late last week, and as of Wednesday morning, the vulnerability has been fixed. The head of marketing at Suprema, Andy Ahn, told the Guardian that the company is doing an "in-depth evaluation" of the information and:
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
We've all seen the news stories about security breaches, and more than likely you've been the victim of one of these in the past. It usually requires you to change your password, but when it comes to your biometric data, you can't just change your fingerprint or face.