Biometric authentication — the use of facial recognition, iris recognition or fingerprints — is seen by many experts as the savior of security by allowing organizations to do away with passwords.
However, privacy researchers on Wednesday discovered a large bank of unprotected biometric, password and other personal data open on the internet. The data, which belong to the BioStar 2 identity and access control platform, serve as a reminder of the basic rule of cybersecurity: if highly-sensitive identity data isn’t adequately protected, then the system is worthless.
Because the BioStar 2 platform is used by companies around the world, some of the data is priceless to criminals.
Privacy researchers, as well as the staff review site vpnMentor, said that the leak could affect tens of millions of users since BioStar 2 partners with numerous other access control companies.
It’s still unclear if the discovered database is the main BioStar 2 repository or one that was copied by a negligent staffer.
Suprema Inc., the South Korean company that developed BioStar 2, said that public access to the database was restricted on Tuesday. On its website, Suprema said that the company is “the premium brand in security” which uses “independent organizations and process for quality assurance.”
Some of its products are used for physical access control to workrooms, data centres, hospitals, police stations, buildings and construction sites.
In an interview, Canadian privacy expert and consultant Ann Cavoukian called the incident “appalling” and “clearly unacceptable.”
“You would think by now companies would be taking security seriously,” she said.
She worried about the “potential for harm” if a criminal was able to steal biometric data before access to the database was closed.
On the other hand, Andras Cser, a vice-president and principal security analyst for Forrester Research, said there’s “not much” a thief could do with stolen fingerprint or facial recognition photos. Sophisticated image recognition cameras would detect a fake face, he said, nor is it easy to leverage a stolen fingerprint against a sophisticated reader. However, he added, a criminal could use a stolen photo to perform an internet image search and uncover more information about a potential victim.
He’s more worried about criminals getting hold of the unencrypted passwords from the unprotected BioStar 2 database.
Still, he said the discovery of an unprotected database with this amount of information “is a mess on multiple levels … a complete disaster.” First, all of the data should have been encrypted. Second, there is no reason to store full images for facial recognition. Instead, smart companies create a template to hold important data points — for example, how far apart an enrolled person’s eyes are.
Cser advised companies that use the BioStar system to hire a penetration testing firm to examine all identity systems for potential vulnerabilities.
In a blog, vpnMentor said the unsecured database was discovered on Aug. 5 while scanning the internet for certain IP blocks. The project, which has been on-going, led vpnMentor and the researchers to make other announcements about loosely-protected databases. The team said huge parts of BioStar 2’s database were unprotected and mostly unencrypted.
“The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing huge amounts of data,” the blog post read. The database had detailed personal information of employees and unencrypted usernames and passwords, as well as over 1 million fingerprint records and facial recognition information. “Combined with the personal details, usernames, and passwords, the potential for criminal activity and fraud is massive.”
Unlike a password, which can be changed, the threats of stolen biometric information are permanent. However, the damage can be mitigated if biometric identifiers are combined with other access control features like two-factor authentication. The hardware’s resilience against spoofing is also important.
The blog said the researchers were able to access over 27.8 million records, a total of 23 gigabytes of data, including:
- Access to client admin panels, dashboards, back end controls, and permissions
- fingerprint data
- facial recognition information and images of users
- unencrypted usernames, passwords, and user IDs
- records of entry and exit to secure areas
- employee records including start dates
- employee security levels and clearances
- personal details, including employee home address and emails
- businesses’ employee structures and hierarchies
- and mobile device and OS information of customers
The blog observes that among the unencrypted passwords, plenty of accounts used “Password” and “abcd1234” and other easy-to-guess indicators.
The BioStar database held information for U.S. companies including Union Member House, a co-working space and social club with 7,000 users; Lits Link, a software development consultancy and Phoenix Medical, a medical products manufacturer. Those in the U.K. included Associated Polymer Resources, a plastics recycling specialist; Tile Mountain, a home decor and DIY supplier; and Farla Medical, a medical supply store.
‘A huge blow for the biometrics industry’
It didn’t take long for officials from security companies to comment on the breach.
“From a consumer perspective, high-resolution fingerprints are a dangerous data set, regardless of how the original data was intended to be used,” said Robert Capps, vice-president and authentication strategist for Vancouver-based NuData Security, a division of Mastercard. “The fact that we don’t know whether the stolen fingerprint data is full resolution or templatized, it is unclear whether the stolen biometric data will have any meaningful impact. We do know that other consumer information was made available by the vendor, and this information has the possibility of being used to access consumer accounts, including financial services accounts. It is advisable, therefore, that any company using Biostar 2 for physical access should make plans to ensure their facilities remain secure until the full scope of the vulnerability is known, and consumers whose information was contained in the breach, take precautions to protect any accounts related to the information disclosed in the breach.”
Stuart Reed, vice-president at Nominet, called the incident “a huge blow for the biometrics industry.”
“A significant element of this breach is the nature of how the biometric data was being used; to grant access to secure areas, for example in police stations. Unlike many other cyber incidents that we’ve seen which compromise digital data, this breach directly crosses over into physical security, demonstrating just how dangerous the data could be in the wrong hands,” he said.
It still isn’t known if anyone other than the researchers discovered the database was open, he added. “We know that hackers act fast, which is exactly why we must not only use a combined approach of people, processes and technology to better secure our data, but we need more sophisticated technology to identify malicious behaviour and potential data theft fast.”
The industry has learned a lot of lessons, but biometric data isn’t something companies can simply reset, said Tim Erlin, vice-president of product management and strategy at Tripwire.
“As an industry, we’ve learned a lot of lessons about how to securely store authentication data over the years,” he said. “In many cases, we’re still learning and re-learning those lessons. Unfortunately, companies can’t send out a reset email for fingerprints. The benefit and disadvantage of biometric data is that it can’t be changed. Using multiple factors for authentication helps mitigate these kinds of breaches. As long as I can’t get access to a system or building with only one factor, then the compromise of my password, key card or fingerprint doesn’t result in the compromise of the whole system. Of course, if these factors are stored or alterable from a single system, then there remains a single point of failure.”
Jeff Hickman, director of solutions engineering at SecureAuth, said the breach underscores why we still can’t rely on a single factor or method of authentication. “Whether you choose passwords or biometrics, there is always a risk that the factor will be compromised. Arguably, biometrics is a much stronger method of authentication than passwords and provide an improved user experience, but this risk is now much more real because of this breach.
“This doesn’t mean that we — as an industry and consumers of biometrics — need to jump ship, but we must scrutinize how and where our data is stored, and understand what that means for our risk tolerance,” indicated Hickman, adding Infosec pros need to ask potential (and existing) biometric identity suppliers what data – full fingerprint, full face, or something else – is being stored.