Biostar 2 biometrics lock system seems to have been hacked recently; personal employee details, unencrypted usernames and passwords, fingerprints and facial recognition information was discovered on a publicly accessible database belonging to the company Suprema.
Suprema is a security company responsible for the Biostar 2 biometrics lock system. This system allows a centralized control to access facilities. Facial recognition and fingerprints are used to allow entry into facilities and warehouses.
In July, Suprema had announced that they have integrated Biostar 2 into another access control system – AEOS, which is used by over 5,700 organizations in over 83 countries.
Vpnmentor, an Israeli based company, reviews virtual private networks and scans for similar IP blocks. It then uses those blocks to find holes in companies systems which could potentially lead to data breaches. Vpnmentor was able find a data breach for Suprema and the results were shocking.
The data breach had provided access to over 27.8 million records, 23 gigabytes worth of data that included facial recognition, fingerprints, unencrypted usernames and passwords, personal details of staff, security levels and clearance, along with facility access logs. According to Rotem, a researcher at vpnmentor “much of the usernames and passwords were not encrypted”.
Through this breach, any person was able to figure out who accessed which facility, down to which room was being accessed and at what time. The user would also be able to edit existing information and use the fingerprints in the database. Fingerprints are extremely important for security and if copied could potentially be used for major malicious purposes. The names and pictures were also editable, making it easy for absolutely anyone to have access to a facility without being questioned by security.
Suprema’s head of marketing, Andy Ahn said “If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets” and has taken action towards “in-depth evaluation”.
“Mistakes happen, and the real test is how you handle them,” Rotem said. He added “this happens quite a lot. It’s unpleasant for someone to point out you have a vulnerability or weakness. Some people take it as an opportunity to fix it and some people are offended by it for some reason.”
As aforementioned, breaches happen often and unfortunately the ones responsible tend to be one step ahead of those who are policing these matters. Such incidents give way to important accessible information that would make identity fraud and laundering dirty money a whole lot easier.