A biometric building access system used by thousands of companies around the world has exposed 23 gigabytes of data, representing over 27.8 million records, researchers revealed today. The BioStar 2 product, used by such organizations as the UK Metropolitan Police, made information, including fingerprints and facial recognition images, publicly available.
Researchers from VPN advice company vpnMentor say they uncovered the data, exposed in the BioStar 2 web-based security platform. It stores biometric data used to access physical facilities at thousands of sites around the world. Customers use it to access secure areas of buildings and to log employees movements for time and attendance purposes.
BioStar 2 is also integrated into third-party systems such as Nedap's AEOS access control system, which is used by over 5,700 organizations in 83 countries. The UK Metropolitan Police is among them.
Exposed data included not just unencrypted employee usernames and passwords but also over a million fingerprint records and facial recognition images. The researchers could see records of employee movements throughout physical facilities, along with their start dates and security clearance levels, their home address and emails.
vpnMentor discovered the exposed data mostly unencrypted in an Elasticsearch database. The team could access it via a browser and could manipulate the URL to extract the data, they said in a report published today.
Affected companies include home decor and DIY supplier Tile Mountain in the UK and Power World Gyms, a gym franchise in India and Sri Lanka, which stored over 113,000 user records and fingerprints in the database.
Suprema, the company that makes BioStar 2, was supremely uncooperative, according to vpnMentor, which tried several times to contact the company by email. "Eventually, we decided to reach out to BioStar 2’s offices by phone. Again, the company was largely unresponsive," said vpnMentor. "Upon speaking to a member of their German team, we received a mumbled reply that 'we don’t speak to vpnMentor', before the phone was suddenly hung up."
Suprema didn't respond to queries from Infosecurity Magazine either. However, the company eventually fixed the problem yesterday, eight days after vpnMentor first contacted it.
vpnMentor warned that cyber-criminals could use the information to mount phishing attacks or sell it on the dark web. They could also use it to gain physical access to thousands of facilities around the world.
"A hacked building’s entire security infrastructure becomes useless. Anybody with this data will have free movement to go anywhere they choose, undetected," they said.
BioStar 2 users should change their dashboard passwords immediately and notify employees to change their personal passwords, said the researchers. However, the exposure of a centralized biometric database highlights a deeper problem, warned Charity Wright, cyber-threat intelligence analyst and researcher at threat protection company IntSights Cyber Intelligence.
"Suprema is really lucky that security researchers discovered this and disclosed it ethically. If they determine that hackers have accessed these open servers, the damage will be catastrophic," she said. "Unlike credentials, biometrics can be stolen and used to hack people's 2FA. These are plain-text passwords and real fingerprints that can be used to mimic the victims' login information, and we are talking about over 1.5 million locations where this technology is used."
UPDATE 15/08/2019: Statement from Suprema: “Suprema Inc. (the “Company”) is aware of the reports in the press regarding its BioStar 2 platform and the alleged unauthorized access to data involving vpnMentor. The Company takes any report of this nature very seriously. It is investigating the allegations in the press reports and will liaise with any appropriate third parties and/or individuals as necessary. At this stage, it cannot make any further comment but will, if appropriate, issue a further press statement in due course, including corrections of any erroneous assertions in the reports to date.”