BioStar 2 breach leaks fingerprints, facial data

Security researchers at vpnMentor have warned of a serious breach of the Suprema BioStar 2 biometric security database, containing the fingerprints, facial recognition data, and plain-text usernames and passwords of over a million individuals.

Developed by Suprema, BioStar 2 is described by its creators as 'a web-based, open, and integrated security platform' focused primarily on time and attendance. Where traditional time and attendance systems might rely on punch-cards, BioStar 2 uses biometric information to speed up the clocking in and clocking out process: Users log on to the system using a fingerprint or, in its more recent releases, a facial recognition scan. Its popularity is impressive: The company boasts 5,700 major clients across 83 countries, including the UK Metropolitan Police.

Unfortunately, BioStar 2 has turned out to be somewhat more open than its inventors might have hoped: Security researchers Noam Rotem and Ran Locar, working with a team at vpnMentor, discovered a database breach which has leaked credentials and biometric information for over a million users.

'The data leaked in the breach is of a highly sensitive nature. It includes detailed personal information of employees and unencrypted usernames and passwords, giving hackers access to user accounts and permissions at facilities using BioStar 2,' vpnMentor explains in a blog post. 'Malicious agents could use this to hack into secure facilities and manipulate their security protocols for criminal activities.

'This is a huge leak that endangers both the businesses and organisations involved, as well as their employees. Our team was able to access over 1 million fingerprint records, as well as facial recognition information. Combined with the personal details, usernames, and passwords, the potential for criminal activity and fraud is massive. Once stolen, fingerprint and facial recognition information cannot be retrieved. An individual will potentially be affected for the rest of their lives.'

The company claims it reported the vulnerability which was allowing full access to the database to Suprema's BioStar 2 division on August 7th but found the company 'very uncooperative.' It took until August 13th for the breach to be closed, but not before vpnMentor had confirmed unfettered access to 27.8 million records comprising 23GB providing full control over client administration panels and dashboards, fingerprint data on over a million individuals, facial recognition images and data, plain-text usernames and passwords, records of entries into and exits from secure areas, employee records including security and clearance levels, home addresses and personal email addresses, and information on the mobile operating systems and devices used at client companies.

'One of the more surprising aspects of this leak was how unsecured the account passwords we accessed were. Plenty of accounts had ridiculously simple passwords, like "Password" and "abcd1234",' the team writes. 'It’s difficult to imagine that people still don’t realise how easy this makes it for a hacker to access their account. Of course, many users did create more complicated and effective passwords that normally would be difficult to discover or decrypt. However, we were easily able to view passwords across the BioStar 2 database, as they were stored as plain text files, instead of being securely hashed.'

The breach was severe enough, vpnMentor claims, to allow attackers to hijack legitimate accounts - replacing fingerprint data with their own, in order to gain access to secure areas and then delete the entry logs immediately after. 'As a result, a hacked building’s entire security infrastructure becomes useless. Anybody with this data will have free movement to go anywhere they choose, undetected.'

Suprema has not yet offered a public announcement on the breach, but has told the Guardian that it is investigating the issue and 'will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets' if it can confirm what vpnMentor appears to have very thoroughly demonstrated.