Massive biometric security flaw exposed more than one million fingerprints

Biostar 2, the biometrics lock system managed by security company Suprema, uses fingerprints and facial recognition technology to give authorised individuals access to buildings. Last month the platform was integrated into another access system — AEOS — which is used by 5,700 organizations across 83 countries, including the UK Metropolitan Police.

The security flaw was picked up by Israeli researchers Noam Rotem and Ran Locar, from VPN review service vpnmentor. In a routine network scan conducted last week, the pair found that Biostar 2’s database was publicly available, and that by manipulating URL search criteria they were able to access nearly 28 million records and 23GB of data, including fingerprints, facial recognition data, passwords and security clearance information.

Speaking to The Guardian, Rotem said that the flaw meant he could change data and add new users, which would allow him to add his own fingerprint to the system and access whatever facilities an original user was permitted to access. He added that not only was the sheer scale of the breach shocking — the service is used in 1.5 million locations around the world — but the nature of the data leak will have future consequences: you can change a password but you can’t change your fingerprint.

Rotem said the team made numerous attempts to get in touch with Suprema before taking their findings to the press, but have not yet had a response. However, Suprema’s head of marketing, Andy Ahn, told The Guardian that the company had made an “in-depth evaluation” of vpnmentor’s research and would let customers know if there was a threat.

“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” he said. The vulnerability has since been closed.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Comment


Comments

Read More

Get real time updates directly on you device, subscribe now.

Comments

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More