Suprema's BioStar 2 System Kept Biometrics, Passwords In Plaintext

Credit: Asylsun / ShutterstockCredit: Asylsun / ShutterstockBiometric information such as fingerprints, facial recognition profiles, and even unencrypted usernames and passwords and personal information of employees for over 1 million people was discovered online. The exposed database seems to belong to Suprema, a security company selling the Biostar 2 web-based biometric authentication system for gaining access to buildings.

Suprema's Biostar 2 Exposes 1 Million Biometric Profiles

Last month, Suprema announced that its Biostar 2 system was integrated into another access control system called AEOS. AEOS is used by 5,700 organizations in 83 countries, including governments, banks, and the UK Metropolitan Police.

The Israeli security researchers Noam Rotem and Ran Locar worked with the security team at VPNMentor, a company that reviews virtual private network (VPN) services, to scan ports and look for familiar IP blocks in an attempt to find security holes that might lead to data breaches in organizations.

In one of their searches last week, the researchers found the unprotected and mostly unencrypted Biostar 2 database. The database exposed 27.8 million records and 23GB worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff. 

The researchers said that even the admin credentials seem to have been stored in plaintext. They also claimed that they were able to change data in the database and add new users. In other words, the researchers could have edited a Biostar 2’s account, add their own fingerprints, and then be able to gain access to whatever buildings that user had access. This, essentially, made the Biostar 2 useless against anyone with access to the database.

Suprema Made It Easy For Hackers to Steal Biometric Data

According to the researchers, Suprema didn’t just completely fail to protect the database from being accessed from the web. It also failed to use industry best practices for biometric authentication, such as not storing the actual fingerprint or facial recognition information in a centralized database on its own servers. 

The researchers said about Suprema in their paper:

“Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes."

The way companies such as Apple and most Android smartphone makers do it is that they create a cryptographic hash of the biometric data at set-up so that they don’t have to store the actual biometric data. This way, even if someone attempts to exfiltrate this data from the Secure Enclave or an Android StrongBox hardware security module (Google’s Titan M, etc.), there’s not much useful biometric data they can extract.

In comparison, the biometric data stolen from Suprema and other centralized biometric databases could be re-used by malicious actors potentially forever. The affected users’ only mitigation would be to use other fingerprints for biometric authentication in the future or for the biometric systems of the future to become so much more advanced they no longer work with the older and more basic stolen biometric data.

Suprema Not Alone In Handling Biometric Security Poorly

As we saw with the Equifax data breach or the hack of DHS' facial recognition data, regular people hardly have any say in any of this, and the companies or agencies that use almost criminally negligible security practices often get away with small fines, at best. Meanwhile, the regulations for companies and agencies that handle such sensitive data are too slow to change to prevent such data breaches in the foreseeable future.

Rotem noted that there are many other poorly secured biometric systems out there:

“It’s very common. There’s literally millions of open systems, and going through them is a very tedious process. And some of the systems are quite sensitive.”

Rotem also talked about the importance of responding to security issues quickly and with grace. Some companies still get offended when you point out a security flaw in their product, instead of being thankful that someone who didn’t plan on abusing said security hole found it first. Suprema seems to have been part of the latter group, as the researcher said it never replied to his messages about the flaw. 

Suprema told TheGuardian that it fixed the flaw, but if anyone else noticed the same flaw before Rotem and Locar did, they may have already cloned it and potentially sold it to others or abused it for their own gains. It would also mean that those biometric profiles are now out there to be abused, so it may not matter if Suprema “fixed the security hole,” as now those biometric profiles could be cloned and used for nefarious purposes.

Suprema told TheGuardian that it fixed the flaw, but if anyone else noticed the same flaw before Rotem and Locar did, they may have already cloned it and potentially sold it to others or abused it for their own gains. It would also mean that those biometric profiles are now out there to be abused, so it may not matter if Suprema “fixed the security hole,” as now those biometric profiles could be cloned and used for nefarious purposes.