Biometric records of more than one million people, in addition to other sensitive details, are exposed to any user’s reach in an unsecured database, web application security experts report. According to reports, the company responsible for this database works closely with British police officers, banking institutions and military contractors.
Suprema, the company involved in the incident,
is responsible for Biostar 2, a network-based biometric control access system
that allows centralized control for access to critical facilities, such as
warehouses or offices. This system uses fingerprints and facial recognition to
identify people authorized to access certain facilities.
In turn, the Biostar system is integrated with
AEOS, another access control system employed by thousands of organizations in
almost a hundred countries; the most prominent clients of these services
include banks, governments and institutions of order and national security.
Noam Rotem and Ran Loca, web application
security experts, are operating a port scanning project to detect similar IP
address sets to find security flaws in organizations’ systems that could lead
to a data breach scenario. During this project it was that they discovered the
exposed and unencrypted database
of Biostar 2; for this, the researchers only had to manipulate the URL search
criteria in Elasticsearch.
Web application security experts gained access
to more than 27 million records and more than 20 GB of data, including
dashboards, fingerprint records, facial recognition data, user photos, login
credentials and unencrypted passwords, among other sensitive details. “These
details allow you to know which users are registered in the access system, and
it is also possible to determine the real-time location of users on the
facilities that have this system; it’s even possible to modify some data and
add new users,” the experts mention.
This is an alarming possibility, as virtually
anyone with access to that database could register with the system and access
facilities with critical security levels, regardless of whether it is a
corporate building or facilities military or security.
Researchers mentioned that it was possible to
access data from hundreds of organisations in the U.S., UK, India, Pakistan,
among other countries. According to web application security experts, the
potential impact of this incident is alarming, as there are more than 1 million
locations in the world that have this system. In addition, unlike a password,
users cannot change their fingerprints in case of data theft.
Although researchers have tried multiple times
to contact the company responsible for the database, it took about a week to
respond. Eventually, the flaw was corrected early on Wednesday morning,
although the company still makes no comment on the incident.
Specialists from the International Institute of
Cyber Security (IICS) mention that these kinds of database vulnerabilities are
really common, although discovering them is a tedious process; however, the
interest of hackers in accessing sensitive information leads them to find these
security flaws.
