What you need to know
- Two Israeli security researchers discovered an unencrypted Biostar 2 database with 23GB worth of data
- Included in the data were fingerprints, facial scans, usernames, passwords, and other personal information of over 1 million people.
- The vulnerability has now been closed and the company is doing an in-depth evaluation of the information.
Last week, Israeli security researchers Noam Rotem and Ran Locar discovered a mostly unencrypted publicly accessible Biostar 2 database online. The database included fingerprints, facial scans, usernames and passwords, and personal information of over 1 million people.
Biostar 2 is a biometrics lock system developed by the security company Suprema that integrates with the AEOS access control system. The AEOS just happens to be used in 83 countries worldwide and 5,700 organizations, including governments, banks, and the UK Metropolitan Police.
Rotem and Locar happened upon this database during a side project with vpnmentor where they scan "ports looking for familiar IP blocks, and then use these blocks to find holes in companies' systems that could potentially lead to data breaches."
After the pair found Biostar 2's database, they were able to search the database and manipulate URLs to gain access to the data.
The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
Speaking to the Guardian, Rotem said most of the usernames and passwords were unencrypted and they were able to also change data and add new users into the system.
In the paper about the discovery provided to the Guardian before being published by vpnmentor on Wednesday, the researchers said they were able to access data from co-working organizations in the US and Indonesia, a gym chain in India and Pakistan, a medicine supplier in the United Kingdom, and a car parking space developer in Finland, among others.
What makes this even more dangerous, is the researchers pointed out that the database includes people's fingerprints. That means the fingerprint can be copied and used by others, instead of storing a hash of the fingerprint which cannot be reverse-engineered.
Rotem and Locar made multiple attempts to contact Suprema before sending their paper to the Guardian late last week, and as of Wednesday morning, the vulnerability has been fixed. The head of marketing at Suprema, Andy Ahn, told the Guardian that the company is doing an "in-depth evaluation" of the information and:
If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers' valuable businesses and assets.
We've all seen the news stories about security breaches, and more than likely you've been the victim of one of these in the past. It usually requires you to change your password, but when it comes to your biometric data, you can't just change your fingerprint or face.
We may earn a commission for purchases using our links. Learn more.
The S20 Fan Edition is a whole lot of phone for a great price
The Galaxy S20 Fan Edition is the latest in Samsung's barrage of new devices. It features a plastic backing, as well a flat display, but is otherwise nearly indistinguishable from the rest of the S20 lineup — and most importantly, it's hundreds of dollars cheaper than even the standard S20.
Google could soon face an antitrust probe in China
A report from Reuters has claimed that Google could soon face an antitrust probe in China for abusing Android’s market dominance to stifle competition.
Just give me Google Photos and I'll buy the Amazon Echo Show 10 ASAP
At a recent virtual event, Amazon announced a near-perfect smart screen speaker in the Echo Show 10 (3rd Gen). I say near-perfect because, without this one feature, I'm not sure I can be persuaded to remove my Nest Hub Max from my kitchen counter.
These are the best cases for your Pixel 4a 5G
The Pixel 4a 5G looks boring in Just Black, but we can fix that! These cases are fun, fashionable, functional, and ready to carry your Pixel 4a 5G into the future.