While working on a web-mapping project, vpnMentor researchers Noam Rotem and Ran Locar discovered a publicly accessible database containing fingerprint records of over 1 million users, facial recognition information, personal information and much more.
The database is run by Suprema, a global corporation headquartered in South Korea, and it’s where information gathered through its web-based Biostar 2 smart lock platform is stored.
Biostar 2 uses facial recognition and fingerprinting technology to identify users and is used by various organizations to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs.
“The team discovered that huge parts of BioStar 2’s database are unprotected and mostly unencrypted. The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing huge amounts of data,” the researchers explained.
The exposed data includes unencrypted biometric data (fingerprint and facial); images of users; unencrypted usernames, passwords, user IDs; personal employee info (e.g., home address and email); employee records, security levels and clearances; records of entry and exit to secure areas; access to client admin panels, dashboards, back end controls, and permissions.
The researchers have identified a number of organizations across the world whose users’ or employees’ information is stored in the database – banks, defense contractors, even the UK Metropolitan police. All in all, the researchers were able to access access 23 gigabytes of data, containing over 27.8 million records.
The danger of leaked information
“With this leak, criminal hackers have complete access to admin accounts on BioStar 2. They can use this to take over a high-level account with complete user permissions and security clearances, and make changes to the security settings in an entire network. Not only can they change user permissions and lock people out of certain areas, but they can also create new user accounts – complete with facial recognition and fingerprints – to give themselves access to secure areas within a building or facility,” the researchers noted.
“Furthermore, hackers can change the fingerprints of existing accounts to their own and hijack a user account to access restricted areas undetected. Hackers and other criminals could potentially create libraries of fingerprints to be used any time they want to enter somewhere without being detected. This provides a hacker and their team open access to all restricted areas protected with BioStar 2. They also have access to activity logs, so they can delete or alter the data to hide their activities. As a result, a hacked building’s entire security infrastructure becomes useless. Anybody with this data will have free movement to go anywhere they choose, undetected.”
The leaked personal and employment records can be used for identity theft and fraud, to mount phishing campaigns, perhaps even for blackmail and extortion, they say. Also, who knows how the stolen biometric data can be misused (and it, unlike passwords, can’t be changed once compromised).
“So far, it’s unconfirmed whether malicious actors were able to take advantage of this weakness to exfiltrate any of this highly sensitive data. It can only be hoped that the situation is quickly remediated and a full cyber-forensics investigation and assessment of the company’s security posture is conducted,” Ali Neil, Director International Security at Verizon, told Help Net Security.
“Unfortunately, incidents like this are all too common. Every year, our cyber-forensics investigators discover millions of records that have been breached due to misconfiguration errors that have left data exposed and accessible. Organizations need to evaluate and continuously test the access controls around critical data and systems, and ensure segmentation and defence controls are robust and consistently checked. Integrity monitoring and anomalous behaviour detection must be in place for such sensitive data as well as encryption protection as standard.”
The researchers tried to notify Suprema about their discovery, but say that the company wasn’t very responsive. When they finally got through to them, they secured the access to the database.
Suprema told the Guardian that they are looking into the issue and would inform customers if there was a threat.
“There’s a lot of excitement around the use of face recognition systems. While the benefits are endless, businesses must also consider the risks that arise from deploying face recognition systems as they need to take appropriate steps to comply with the law. Facial recognition and video surveillance are covered by a complex web of regulations which isn’t easy to navigate, plus there is reputational risk if companies aren’t seen to be taking privacy seriously,” commented Tamara Quinn, Partner at international legal practice Osborne Clarke.
“Under the GDPR, use of biometrics, such as facial recognition systems, is covered by stricter safeguard than ordinary personal data. For many companies, this means that they may need to get consent from every person scanned and prove that these individuals were fully informed and have given consent freely, without pressure or being penalised for not participating.
“With the ICO promising to pay closer attention to private organisations that use facial recognition systems that cover public areas, businesses should act now to ensure that their software doesn’t break the law. And this can include reassessing the use of external cameras overlooking the street, public parking or other communal spaces. As well as making sure that their systems comply with strict legal requirements, companies should be looking at their contracts with external suppliers of these systems, to make sure that they have strong legal protections in place.”
John Sheehy, Director of Strategic Security Services at IOActive, notes that attackers who want to find a path into the network of well secured institutions will go after their suppliers.
“An attacker wants to find the easiest pathway to get into the network so oftentimes, it’s the supplier who has an exploitable vulnerability that can get them full access into the original target’s network. Most threat actors organizations face today are very smart. They know they don’t actually need to leverage a sophisticated, complex supply chain hack to wreak havoc on a network, steal data or intellectual property, or cause catastrophic damage. All they really need to do is look for the weak spots – such as plain text passwords, unpatched servers, unencrypted data and systems or send out a simple phishing email,” he pointed out.
“That’s why, if you’re not protecting your own network against basic threat actors, doing your due diligence to properly patch, and holding your suppliers accountable for securing their own networks and encrypting data, you have no hope in protecting against nation-states or more capable threat actors. This is where third-party testing comes in handy to trust and verify your suppliers.”
Rotem and Locar advised Suprema to secure their servers, to not save the actual fingerprints of users (but a hash that can’t be reverse-engineered), to implement proper access rules on their databases and to never leave a system that doesn’t require authentication open to the internet.
BioStar 2 clients have been advised to changed the password to their BioStar 2 dashboard immediately and notify staff to change their personal passwords. Unfortunately, individuals whose information might have been stolen from this database have no effective recourse.