It has been coming for some time, but now the major breach of a biometric database has actually been reported—facial recognition records, fingerprints, log data and personal information has all been found in “a publicly accessible database.” The damage is not yet clear, but the report claims that actual fingerprints and facial recognition records for millions of people have been exposed.
The issue with biometric data being stored in this way is that, unlike usernames and passwords, it cannot be changed. Once it’s compromised, it’s compromised. And for that reason, this breach report will sound all kinds of alarms.
The report published by security researches Noam Rotem and Ran Locar at Vpnmentor relates to Suprema, a company describing itself as a “global Powerhouse in biometrics, security and identity solutions,” with a product range that “includes biometric access control systems, time and attendance solutions, fingerprint live scanners, mobile authentication solutions and embedded fingerprint modules.”
The news of the breach was first published by Wednesday’s Guardian newspaper in the U.K., which highlighted the use of Suprema solutions by the “Metropolitan Police, defense contractors and banks.” The breach, though, is international, with Suprema’s Biostar 2 biometric identity SDK integrated into the AEOS access control system “used by 5,700 organizations in 83 countries, including governments, banks and the police.”
Rotem and Locar found the breach by scanning ports for “familiar IP blocks,” threads they would then follow looking for public-facing datasets, breaches in other words. The motherlode for such research is either sensitive data or large-scale companies. In this instance, they appear to have found both combined. Almost 28 million records across more than 23 gigabytes of data—records they claim include “fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.”
Highly sensitive data was left unencrypted, the researchers also claim, including (most alarmingly of all) usernames and passwords. “We were able to find plain-text passwords of administrator accounts,” Rotem told the Guardian. “The access allows, first of all, seeing millions of users are using this system to access different locations and see in real-time which user enters which facility or which room in each facility.” The researchers were even “able to change data and add new users.”
The really serious implications here are twofold. First, the manipulation of access control systems for secure sites—editing accounts, changing logs, removing or adding entries, even changing user data. Second, and even more of an issue, the access to actual biometric data that (obviously) cannot be changed. To lose a password and username is one thing, to have fingerprints (which cannot be changed) stolen is quite beyond belief.
According to the researchers, “instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.” If true, if this biometric data has been left in a usable form, then there need to be questions asked way beyond the breach itself
The researchers told the Guardian they had made “multiple attempts” to contact Suprema before disclosing their findings. The vulnerability has been shut down and a Suprema spokesperson told the Guardian that the company had launched an “in-depth” evaluation of the report. “If there has been any definite threat to our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets.”
Suprema has been approached for any comments on this story.
Biometric security is very much in the news these days, and while many of those headlines have focused on AI-related technologies like facial recognition, more biometric security still relies on fingerprints than anything new. And there is little concern expressed over that level of security for access control or immigration. But the risk with the growing levels of biometric data has always been theft, and we have not yet analyzed and understood the ways in which such stolen data might be used. This despite reports of spoofing smartphone security or banking apps.
The final interesting take away from this story doesn’t relate to any of the specifics, it’s a much more general point. We are currently giving away biometric information to multiple platforms and providers. Our phones, our banks, our immigration services, to name but a few. Every time we do this, our risk increases. At some point, the realization will hit that we need some kind of unified platform where we limit the numbers of parties who actually hold such data, with others accessing those trusted holders on an “as a service” basis.
Until then, this will not be the last news item of this kind.