A damning report on a huge data breach on the Biostar 2 Bio-metric Security Platform affecting millions of users has prompted industry wide concern about the true security levels of Bio-metric Security.
The report by the research team at vpnMentor.com led by internet privacy researchers Noam Rotem and Ran Locar, discovered a huge data breach in the Biostar 2 platform.
Biostar 2 is a web-based bio-metric security smart lock platform. A centralized application, it allows admins to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs. As part of the bio-metric software, Biostar 2 uses facial recognition and fingerprinting technology to identify users.
The app is built by Suprema, one of the world’s top 50 security manufacturers, with the highest market share in bio-metric access control in the EMEA region. Suprema recently partnered with Nedap to integrate Biostar 2 into their AEOS access control system.
AEOS is used by over 5,700 organizations in 83 countries, including some of the biggest multinational businesses, many small local businesses, governments, banks, and even the UK Metropolitan Police.
The data leaked in the breach is of a highly sensitive nature. It includes detailed personal information of employees and unencrypted usernames and passwords, giving hackers access to user accounts and permissions at facilities using Biostar 2 leaving the platform wide open to so called "Malicious Agents" who could easily use the to hack into secure facilities and manipulate their security protocols for criminal activities.
The report authors said "This is a huge leak that endangers both the businesses and organizations involved, as well as their employees. Our team was able to access over 1 million fingerprint records, as well as facial recognition information combined with the personal details, usernames, and passwords, the potential for criminal activity and fraud is massive.
"Unlike a password or pin, once stolen, fingerprint and facial recognition information
cannot be retrieved leaving individuals exposed for the rest of their lives"
However, when the vpnMentor team contacted Biostar 2 to alert them to their data breach findings they found them "generally very uncooperative" their emails were ignored and when Biostar 2 was eventually contacted by phone they were told that the they “don’t speak to vpnMentor” before unceremoniously hanging up. Even attempts to contact Biostar 2’s GDPR compliance officer fell on stony ground.
Eventually, after speaking to the more cooperative French branch over the phone, steps were taken by the company to close the breach.
The vpnMentor team was able to access over 27.8 million records, a total of 23 gigabytes of data, which included the following access to client admin panels, dashboards, back end controls, Employee records and security levels and clearances and permissions as well as the hugely valuable Bio-metric data.
One of the more surprising aspects of this leak was how unsecured the account passwords we accessed were. Plenty of accounts had ridiculously simple passwords, like “Password” and “abcd1234”. It’s difficult to imagine that people still don’t realize how easy this makes it for a hacker to access their account.
Of course, many users did create more complicated and effective passwords that normally would be difficult to discover or decrypt. However, we were easily able to view passwords across the BioStar 2 database, as they were stored as plain text files, instead of being securely hashed.
Maybe the biggest concern in this leak is its size. Biostar 2’s users are spread around the world, with potential future users including governments, banks, universities, defence contractors, police, and multinational businesses.
The platform has over 1.5 million worldwide installations, and all of these could be vulnerable to this leak. The total number of people affected could be in the tens of millions.
Facial recognition and fingerprint information cannot be changed. Once they are stolen, it can’t
be undone. The unsecured manner in which Biostar 2 stores this information is worrying, considering its importance, and the fact that Biostar 2 is built by a security company.
Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.
Criminal hackers have complete access to admin accounts on Biostar 2. They can use
this to take over a high-level account with complete user permissions and security clearances, and
make changes to the security settings in an entire network.
Not only can they change user permissions and lock people out of certain areas, but they can also
create new user accounts – complete with facial recognition and fingerprints – to give themselves
access to secure areas within a building or facility.
Furthermore, hackers can change the fingerprints of existing accounts to their own and hijack a
user account to access restricted areas undetected. Hackers and other criminals could potentially
create libraries of fingerprints to be used any time they want to enter somewhere without being
detected.
Click Here to read the full report
With thanks to vpnMentor.com