A Breach at the Bio Star 2 Security Platform Exposed Millions of Fingerprint Records, Passwords, and Facial Recognition Data
Biometrics is now used for securing both physical and digital assets, and there is a very good reason for this. Authenticating users with the help of fingerprint readers or facial recognition systems is not only quicker and more convenient, but it's also quite a bit more secure than the alternatives. Biometric data can also make it easier for administrators and security teams at large organizations to set up strong access control policies and ensure that everything is logged properly.
For all its benefits, however, biometrics does have one major downside that is frequently quoted by skeptics of the technology. It is the fact that unlike passwords, fingerprints and faces can't be changed or reset. If biometric data is exposed, it is exposed for good, and the consequences can be fairly severe. A recent data leak at a security platform called Bio Star 2 showed us just how serious they could be.
The Bio Star 2 data breach could have had disastrous consequences
Those of you who strive to stay current with the news in the information security industry have heard of Noam Rotem, Ran Locar, and their team at vpnMentor. Over the last few months, they have discovered more than a few poorly configured databases and servers that were leaking tons of sensitive information. The breach of Bio Star 2, however, could very well be the most serious incident they've seen.
Once again, the exposed information was sitting in an Elasticsearch database that wasn't protected by a password and was accessible from anywhere in the world. Among other things, the database held more than a million fingerprint scans and pictures of users who have been using facial recognition devices integrated into Bio Star 2. This, on its own, sounds bad enough, but it gets much worse.
According to Rotem and Locar, Bio Star 2 has over 1.5 million installations all around the world, and its developer, Suprema, recently partnered with a tech company called Nedap in order to integrate the platform into the AEOS access control system. AEOS is used by close to 6 thousand organizations that range from small gyms to massive government and law enforcement agencies. The researchers said that estimating the exact number of affected individuals is hard, but they did point out that some of the employees of the said agencies might have had their biometric data exposed.
Usernames, passwords, and other sensitive details were also leaked
Unfortunately, the misconfigured Elasticsearch installation contained a lot more than just fingerprints and facial recognition information. The researchers found employees' job titles, structures and hierarchies, security levels, clearances, and logs detailing who accessed secured areas and when. Personal information, like home and email addresses, was also leaked, and so were quite a few sets of usernames and passwords.
The researchers didn't go into too many details about what these login credentials were used for exactly, but they did not that they could have given cybercriminals access to admin panels, dashboards, and the backend infrastructure of organizations using Bio Star 2. Although they were supposed to protect some serious assets, some of the passwords Rotem and Locar found were woefully weak. This, although quite worrying, isn't especially surprising. What is rather shocking, however, is the fact that the people developing Bio Star 2 haven't really done enough to protect the security of their customers. And that's even without considering the configuration mistake that left the database exposed.
The data leak revealed Bio Star 2's data handling problems
The researchers found the exposed database on August 5, and they immediately set about contacting Suprema and disclosing the breach. The team made "numerous attempts" to get in touch with the developers via email, but after receiving no response, they picked up the phone and tried calling the company's offices in Germany. For reasons that are completely unfathomable, Suprema's German employees refused to so much as discuss the matter. vpnMentor then tried contacting the developer's French team, and this time they received a bit more cooperation. On August 13, the data was finally secured.
The developer's reaction certainly wasn't as good as it should have been, but unfortunately, this is far from the only problem.
All the login credentials Rotem and Locar found were stored in plaintext, which is just about the most insecure way of handling this sort of data. The situation with the biometric records was pretty much the same – Bio Star 2 had done nothing to protect them in case they get leaked.
If a company is responsible for ensuring the security of so many organizations that, in turn, need to take care of so much important information, this sort of mistake is simply unacceptable, and we're pretty sure that some of Bio Star's customers are not especially happy at the moment. As you can see, there is a good reason for this.