The easiest thing you can do to protect yourself after a data breach is to change the exposed password, preferably to something unique and more secure than the previous one. However, if hackers steal your actual fingerprint — mind you, not an encrypted version of it — then there’s really nothing you can do to prevent anyone from abusing it since you obviously can’t change your fingerprints. And that’s precisely what could have easily happened with Suprema’s Biostar 2 biometrics lock systems.
Researchers found a security hole in Suprema’s system that let them access authentication data belonging to more than 1 million users. The data includes fingerprints, facial recognition information, unencrypted usernames and passwords, and personal information of employees, according to The Guardian.
Suprema’s systems protect various companies and public institutions, including the UK Metropolitan police, defense contractors, and banks. The security hole could have hurt international companies as well in the US, Pakistan, Finland, and Indonesia, according to the report.
Israeli researchers Noam Rotem and Ran Locar worked with vpnmentor to find the vulnerability. Once they gained access to the Biostar 2 database, they found it to be unprotected and mostly unencrypted. They found it easy to access more than 27.8 million records totaling over 23GB in size.
Aside from the sensitive information the database contained, they could easily monitor the actual usage of the stored biometric data. They could see in real-time which user entered any facility via a specific door. They could even see the passwords of administrator accounts.
The researchers were able to edit someone’s account to add their own fingerprints to them. In theory, this would have allowed them access to all the places that user has permission to enter. Even more disturbingly, they found that password data wasn’t protected at all. This could allow hackers to copy the fingerprint and use it for malicious purposes.
“Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes,” they said in a paper.
Suprema, meanwhile, told The Guardian there’s nothing to worry about. They’ve made an “in-depth evaluation” of the vpnmentor report and would inform customers if there was a threat. But it’s still unclear if anyone found the same security issues before these researchers and abused them in any way.
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Suprema’s head of marketing Andy Ahn told the paper. The full report is available at this link.