valerybrozhinsky - stock.adobe.c
A security team has revealed that it was able to access more than one million unprotected and unencrypted fingerprint records, as well as facial recognition information stored in a database for a biometric access control system used by the Met Police.
Combined with the personal details, usernames and passwords, the potential for criminal activity and fraud is massive, the vpnMentor team said in a research paper, adding that once stolen, fingerprint and facial recognition information cannot be retrieved, potentially affecting the people involved for the rest of their lives.
The research paper details findings about BioStar 2, a web-based biometric security smart lock platform that uses facial recognition and fingerprinting technology to identify users.
The BioStar 2 app is built by biometric access control firm Suprema, recently integrated BioStar 2 into their AEOS access control system used by more than 5,700 organisations in 83 countries, including big multinationals, small businesses, governments, banks, and the UK’s Metropolitan Police.
The vpnMentor researchers found that the Biostar 2 Elasticsearch database was unprotected and mostly unencrypted. They were able to search the database by manipulating the search criteria using the Elasticsearch search engine.
The data exposure was discovered on 5 August 2019 and Biostar contacted two days later, but access to the system was blocked only a week later on 13 August after numerous attempts to contact the company, the researchers said.
According to the research paper, the vpnMentor team was able to access more than 27.8 million records, a total of 23 gigabytes of data, which included access to client admin panels, dashboards, back-end controls, and permissions; fingerprint data; facial recognition information and images of users; unencrypted usernames, passwords, and user IDs; employee details; and mobile device information.
“One of the more surprising aspects of this leak was how unsecured the account passwords we accessed were. Plenty of accounts had ridiculously simple passwords, like ‘Password’ and ‘abcd1234’. It’s difficult to imagine that people still don’t realize how easy this makes it for a hacker to access their account,” the research paper said.
The researchers said the unsecured manner in which BioStar 2 stored this information was “worrying”, considering its importance, and the fact that BioStar 2 is built by a security company.
“Instead of saving a hash of the fingerprint (that can’t be reverse-engineered), they are saving people’s actual fingerprints that can be copied for malicious purposes.
“Putting all the data found in the leak together, criminals of all kinds could use this information for varied illegal and dangerous activities,” the researchers warned.
The research report said the makers of BioStar 2 failed to take “basic security precautions” such as better protection measures, saving hashed versions of fingerprints, implementing proper access control rules on databases and requiring robust authentication.
A spokesperson for the Metropolitan Police told the BBC it was checking whether the force was one of the affected organisations, while the Information Commissioner’s Office (ICO) said it was aware of reports about Biostar 2 and would be making enquiries.
“The huge quantity of sensitive personal information that has potentially been exposed to cyber criminals as a result of poor cyber security practices by Suprema is disturbing to see,” said Piers Wilson, head of product management at Huntsman Security.
“Such basic mistakes, including not encrypting data and making admin passwords easily accessible, are easy to avoid and there should have been steps taken to better protect systems. In addition, biometric data must be secured to the highest standard, once this is breached there is no way to change it. If a fingerprint is stolen, that person’s personal biometric data has been compromised for life.
“This discovery is just another example of why cyber security must be taken more seriously in all businesses. To better deal with this issue, cyber security must become a boardroom-level issue – where every part of the business has a real understanding of risk,” he said.
Supply chain weakness
John Sheehy, director of strategic security services at IOActive, said the discovery underlines the importance of supply chain security.
“The fact is: the more secure an organisation itself is, the more attractive that organisation’s supply chain becomes in the mind of the attacker – and you can’t get any more secure than a government, bank or police force,” he said.
An attacker typically looks for the easiest pathway to get into the network, said Sheehy, so often it is the supplier who has an exploitable vulnerability that can get them full access into the original target’s network.
“Most threat actors that organisations face today are very smart. They know they don’t actually need to leverage a sophisticated, complex supply chain hack to wreak havoc on a network, steal data or intellectual property, or cause catastrophic damage.
“All they really need to do is look for the weak spots – such as plain text passwords, unpatched servers, unencrypted data and systems or send out a simple phishing email.
“That’s why, if you’re not protecting your own network against basic threat actors, doing your due diligence to properly patch, and holding your suppliers accountable for securing their own networks and encrypting data, you have no hope in protecting against nation-states or more capable threat actors,” he said.
Rohit Ghai, president of RSA Security, said database leaks ultimately originate from human error on the part of the company managing the database.
“Because they’re typically not malicious, they can be difficult to prevent without a very thorough digital risk management programme in place, which affords the same level of oversight on insider threats as it does to external ones.
“Added to this, the scenario highlights the criticality of third-party risk and security assessments as data flows through the digital ecosystem of organisations,” he said.
Oversight of biometric data security
Guy Bunker, CTO at security firm Clearswift, said that when biometrics first came to the fore as a method for authentication, there was little thought given to how the systems could be compromised.
“However, unlike a password, it’s not so easy to change your fingers, eyes and face. With the increased use of biometrics, the protection of the data to disable the ability for replacement was also, all too often overlooked. Replacement is where you have access to the back-end storage and can readily put ‘your’ details in place of the targets and then become them, for access to whatever is being requested.
“In this particular incident, almost every possible issue with biometrics which could occur, actually has. In doing so, data of thousands of organisations across the globe has been compromised as well as a million-plus people. The ‘fix’ is not going to be quick or easy and so during that time the potential for further fraud and malicious behaviour is very high,” he said.
For businesses not immediately affected by this discovery, Bunker said there is an immediate need to check if they are using any form of biometrics.
“What you need to know is whether the data from the biometric is stored in a ‘raw’ form or if it has been transformed. By way of analogy, passwords used to be stored in the clear (readable) form, today they are all encrypted (transformed) and it is virtually impossible to reverse engineer a strong password.
“Biometric data needs to have the same happen to it – the raw data needs to be transformed through encryption, such that it can’t be reversed engineered. Furthermore, systems holding this data need to be protected, including monitoring, against bulk data change or biometric record updates. Signs of this occurring can be an indicator of compromise.
“Sadly, it takes an event such as this for organisations to understand some of the risks they have with solutions which they either didn’t know about or had previously ignored,” he said.
Tamara Quinn, partner at international legal practice Osborne Clarke said businesses must also consider the risks that arise from deploying facial recognition systems as they need to take appropriate steps to comply with the law.
“Facial recognition and video surveillance are covered by a complex web of regulations which isn’t easy to navigate, plus there is reputational risk if companies aren’t seen to be taking privacy seriously,” she said, pointing out that under the General Data Protection Regulation (GDPR), the use of biometrics, such as facial recognition systems, is covered by stricter safeguard than ordinary personal data.
“For many companies, this means that they may need to get consent from every person scanned and prove that these individuals were fully informed and have given consent freely, without pressure or being penalised for not participating.
“With the ICO promising to pay closer attention to private organisations that use facial recognition systems that cover public areas, businesses should act now to ensure that their software doesn’t break the law. And this can include reassessing the use of external cameras overlooking the street, public parking or other communal spaces.
“As well as making sure that their systems comply with strict legal requirements, companies should be looking at their contracts with external suppliers of these systems to make sure that they have strong legal protections in place,” she said.
Read more about biometrics
- The annual report from the biometrics commissioner warns that lack of clear laws on the application of the technologies could further undermine privacy and citizen trust.
- Immigration minister says options are being considered around governance and oversight of biometric technology use.
- New rules will see the introduction of a repository of personal data from hundreds of millions of EU citizens to support law enforcement across member states.
- HMRC is to forge ahead with Voice ID despite beginning to delete the largest state-held voice biometric database gathered without consent after UK privacy and data protection watchdog issues order.