Security Firm Found Leaking User Fingerprints, Facial Scans | News & Opinion

Google+ Pinterest LinkedIn Tumblr +

A biometrics company accidentally leaked a million fingerprint records, plus some facial recognition scans, from customers via an exposed database on the internet.

The South Korean company Suprema ironically supplies security products — including fingerprint and facial recognition scanning technology — to businesses across the world. One of those products is called BioStar 2, a web-based platform used to remotely control and monitor building security systems.

But for some reason, Suprema was storing the biometric scans on an open database over the internet, according to Israeli researchers Noam Rotem and Ran Locar.

The researchers discovered the exposed database while conducting a web-mapping project for VPN review site vpnMentor. Although data leaks are nothing new, the Suprema incident is particularly bad because it involves users’ biometric information. “Facial recognition and fingerprint information cannot be changed. Once they are stolen, it can’t be undone,” the researchers wrote in their blog post.

It isn’t clear if any malicious parties ever accessed the exposed database, which was accessible via URLs in a browser. Rotem and Locar say the database held customer information from businesses in the US, UK, and several other countries. Additional exposed records included unencrypted usernames and passwords for administrative accounts on the Biostar 2 platform, employee security levels and clearances, and personal details such as employees’ home and email addresses.

“Our team was able to access over 27.8 million records, a total of 23 gigabytes of data,” they added.

Rotem and Locar attempted to contact Suprema about the exposed database after discovering it on August 5. However, the researchers claim the company was “very uncooperative,” and did nothing to secure the database until yesterday, August 13.

Suprema told the Guardian it’s still investigating the leak for potential risks to customers. “If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets.”

In the meantime, Rotem and Locar are advising Suprema customers to secure their accounts. “In the hands of criminal hackers, all this data could have been downloaded and saved for later use in a variety of crimes,” the researchers warned. For instance, access to Biostar 2 admin accounts could let a hacker disable or manipulate the security systems inside an actual building. The personal information inside the database could also be used to commit identity theft or fraud.

Why Suprema has been storing fingerprint and facial recognition scans without any protection such as hashing, which can effectively scramble the data, remains unclear. But the incident underscores the dangers of a company collecting biometric information: it’s possible it may one day leak.

Source link

Share.

About Author

Leave A Reply