The major Data breach in Biometric system, including Facial recognition, Fingerprints and other private information databases publicly accessible. Which used by banks, Police and Defense Firms.
Discovered by Israel Security Researcher Noam Rotem and Ran Locar from VPNMentor. The team found huge data breach in security platform Biostar 2.
Millions of people Fingerprints, facial recognition, personal info of employees, unencrypted usernames and passwords were found in a publicly accessible database.
Biostar 2 is a web-based biometric security smart lock platform. A centralized application, it allows admins to control access to secure areas of facilities, manage user permissions, integrate with third-party security apps, and record activity logs.
As part of the biometric software, Biostar 2 uses facial recognition and fingerprinting technology to identify users.
What Happened?
According to report by The Guardian,
Suprema is the security company responsible for the web-based Biostar 2. It uses fingerprints and facial recognition for identifying the people.
In July 2019, Suprema partnered with Nedap to integrate Biostar 2 into their AEOS access control system. AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan Police.
The security researchers had access to over 27.8 million records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff, according to The Guardian.
Also See- Top 5 Best Password Managers 2019
The Israeli Security researcher Noam Rotem, from VPNmentor told to The Guardian.
“We were able to find plain-text passwords of administrator accounts,” he said.
“The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even.”
“We [were] able to change data and add new users,” he said.
VPN Mentor team was able to access over 27.8 million records, a total of 23 GB of data, which included the following information:
- Access to client admin panels, dashboards, back end controls, and permissions
- Fingerprint data
- Facial recognition information and images of users
- Unencrypted usernames, passwords, and user IDs
- Records of entry and exit to secure areas
- Employee records including start dates
- Employee security levels and clearances
- Personal details, including employee home address and emails
- Businesses’ employee structures and hierarchies
- Mobile device and OS information
Researchers also notified that how unsecured the account passwords were accessed. Users kept their password like “abcd1234” and “Password”. It is very easy for a cyber attacker to access their account.
Also Read- 123456 is Most Common Passwords Used By Millions
Security researchers were easily able to view passwords across the Biostar 2 database, as they were stored as plain text files, instead of being securely hashed.
What you can do?
If you are employer, or Business person and using Biostar 2, then your personal information might be leaked including fingerprints and Facial recognition, researchers recommended.
- Secure your Server with Firewall
- Change your Biostar 2 Password immediately.
- Always do penetration testing of your Server system.