Biometrics, usually fingerprints or faces, are often touted as more secure forms of authentication or at least second-factor authentication. But what if those very same pieces of data have been compromised? And what if it happened through sheer negligence of the security company whose business is to help secure people around the world? That is the nightmarish reality of what befell customers of Suprema’s web-based Biostar 2 biometrics lock platform and, by extension more than 1 million people across the globe.
Biostar 2 might not actually be a familiar name but that’s par for the course for third-party “middleware” services that often remain unknown. At least until news like this breaks. Suprema’s list of clientele, however, includes everyone from gym chains in Pakistan to the UK Metropolitan police who use the software for centralized and secure access to warehouses, office buildings, and the like.
Israeli security researchers Noam Rotem and Ran Locar, however, discovered that Biostar 2’s database itself is anything but secure. It didn’t take too much work for them to get through the unprotected and unencrypted database to access logs and even modify existing records to steal or change a user’s identity, thereby getting access to whatever’s stored behind physical doors.
The amount and variety of data gathered is frighteningly astounding. 27.8 million records contained in 23 GB of data included fingerprints and facial recognition information in 1.5 million locations around the world. And to going full circle, the database included personal information as well as passwords stored in plain text format for anyone to see.
Suprema’s initial response was, unsurprisingly, silence before closing down the doors. Hopefully, it did so before any less conscientious hacker got their hands on the information. Because, unlike passwords, you can’t exactly change your fingerprints or your face.