What you need to know
- Two Israeli security researchers discovered an unencrypted Biostar 2 database with 23GB worth of data
- Included in the data were fingerprints, facial scans, usernames, passwords, and other personal information of over 1 million people.
- The vulnerability has now been closed and the company is doing an in-depth evaluation of the information.
Last week, Israeli security researchers Noam Rotem and Ran Locar discovered a mostly unencrypted publicly accessible Biostar 2 database online. The database included fingerprints, facial scans, usernames and passwords, and personal information of over 1 million people.
Biostar 2 is a biometrics lock system developed by the security company Suprema that integrates with the AEOS access control system. The AEOS just happens to be used in 83 countries worldwide and 5,700 organizations, including governments, banks, and the UK Metropolitan Police.
Rotem and Locar happened upon this database during a side project with vpnmentor where they scan "ports looking for familiar IP blocks, and then use these blocks to find holes in companies' systems that could potentially lead to data breaches."
After the pair found Biostar 2's database, they were able to search the database and manipulate URLs to gain access to the data.
Speaking to the Guardian, Rotem said most of the usernames and passwords were unencrypted and they were able to also change data and add new users into the system.
What makes this even more dangerous, is the researchers pointed out that the database includes people's fingerprints. That means the fingerprint can be copied and used by others, instead of storing a hash of the fingerprint which cannot be reverse-engineered.
Rotem and Locar made multiple attempts to contact Suprema before sending their paper to the Guardian late last week, and as of Wednesday morning, the vulnerability has been fixed. The head of marketing at Suprema, Andy Ahn, told the Guardian that the company is doing an "in-depth evaluation" of the information and:
We've all seen the news stories about security breaches, and more than likely you've been the victim of one of these in the past. It usually requires you to change your password, but when it comes to your biometric data, you can't just change your fingerprint or face.
Big brother is watching. And it's a fumble-fingered forkwit!
Who didn't see this coming..
That's exactly why I like PIN numbers!!
How does this affect the fingerprint and face ID data stored only on our phones?
Just asking out of curiosity.
If your fingerprint and/or facial data is in the breached database, they could be used to unlock your phones (if the perpetrator has access to your devices). That's about it really, biometric data on your phone is stored locally while this breach is of the government's database.
Perhaps its time to go back to my Blackberry 10 Classic? 🤔 and simplify things. My best friend moved to Germany a few years ago and he told me most people in the northern town near the Denmark border bank primarily in person and don't allow group pictures of kids shared on the likes of Facebook and social media.
Never say never but so far I have been able to avoid using biometric security for anything.
So, what devices were compromised? Seems an important part of the article that wasn't mentioned at all, how would one know if their data was part of this?
Guess what? If you've ever rented a free locker at Universal Studios they have your fingerprint there too! *Gasp*
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.