Yet another database of personal information has been found on an unsecured server. This one stands out for its size, the range of unencrypted PII it contains, and the inclusion of vast numbers of biometric records.
The database, belonging to South Korean biometrics giant Suprema, was found by Israeli privacy security researchers Noam Rotem and Ran Locar working with vpnMentor. It is contained in an Elasticsearch database, which — write the researchers — “we were able to access… via browser and manipulate the URL search criteria into exposing huge amounts of data.”
The data they found belongs to Suprema’s Biostar 2 application. This is a web-based biometric security smart lock platform that uses facial and fingerprint biometrics to allow admins to control access to secure areas, manage user permissions, integrate with third-party security apps, and record activity logs. There are more than 1.5 million installations of the platform around the world.
The data the researchers were able to access comprised more than 27.8 million records within 23 gigabytes of data. It included access to client dashboards; unencrypted usernames, passwords and IDs; records of entry and exit to secure areas; staff security levels and clearances; home addresses and emails; business hierarchies; and mobile device and OS information.
Of particular concern, it also included unencrypted fingerprint data, facial recognition information, and images. Security experts have been warning of the threat from biometric breaches for years because, as the researchers comment, “Facial recognition and fingerprint information cannot be changed. Once they are stolen, it can’t be undone.”
This is not the first time that biometric data has potentially been stolen. Approximately 1.1 million fingerprints were stolen in the 2015 U.S. OPM breach. Nevertheless, it is a sufficiently new and rare occurrence for there to be little information on how criminals might use biometric data.
In this Suprema breach, however, there is enough additional personal information available that some options are obvious. Because it includes admin accounts with clear text passwords, attackers could change the existing security settings throughout the network. As a nuisance, authorized staff could simply be locked out. More worryingly, attackers could create new accounts with their own fingerprints, or hijack existing accounts, to gain access to secure facilities. If the secure facility is a data center, they can gain physical access to a company’s IT infrastructure.
Basically, say the researchers, “This provides a hacker and their team open access to all restricted areas protected with BioStar 2. They also have access to activity logs, so they can delete or alter the data to hide their activities.”
Physical property could be stolen from premises and intellectual property (such as blueprints) removed from offices. Entire systems could be breached through successful phishing attacks against senior personnel based on the available PII, while BEC attacks could be made simpler through the access to company structures, staff hierarchies and their emails.
Rotem and Locar detected the breach on August 5, 2019, and contacted Suprema on August 7, 2019. Email approaches had no response. “We also tried to contact BioStar 2’s GDPR compliance officer but received no reply,” say the researchers. Phone calls to European offices fared little better. The German office hung up; but the French office was apparently more cooperative. However, despite the apparently uncooperative response from Suprema, the breach was closed on 13 August 2019, less than one week after notification.
Crickhowell High School in Wales is just one Suprema customer. Its website states, “As part of ongoing improvements to our safeguarding policy and security to the school buildings, a biometric door entry system has been installed to all external doors (with the exception of fire doors which lock automatically), access to which can now be activated by fingerprint recognition, ensuring no unauthorized access to the school buildings during the school day.” All pupils’ fingerprints are taken, providing individual access.
Also on the site is a statement signed by Young S. Moon, VP marketing & sales, Suprema Inc. It states, “In order to secure this template, cryptographic tools and encryption methods are used such as 256bit AES encryption making it very difficult to access the necessary data to reverse engineer the process. The ability to reduplicate the original image and prove the identity via a fingerprint expert is not possible.” Rotem’s and Locar’s discovery throws doubt on this. In the Elasticsearch database, not only is the template unencrypted, its owner is also identified in unencrypted fashion.
At this stage, we only have the vpnMentor report on the incident (we don’t know, for example, if the Crickhowell details were part of the breach). Suprema has so far said very little. Its head of marketing, Andy Ahn, told the Guardian, “If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets.”