Fingerprints and facial scans are seen as an enhanced additional layer of security, but they rely on database storage just like any other type of data. A recent breach of biometrics giant Suprema once again reinforces the idea that any security system is only as strong as its weakest link.
Security researchers located an unencrypted database belonging to the company that was open for business, with about 28 million available records in total. In addition to facial recognition and fingerprint data, the database contained unencrypted username-password combinations stored in plain text.
The BioStar 2 biometrics data breach
BioStar 2 is a Suprema web-based security platform that is used throughout the world. The main feature is the ability to access the central server and endpoint security devices (such as facial recognition systems) from any modern web browser without installing software, allowing for easy remote access from mobile devices. At least 5,700 organizations in 83 countries make use of the system, including local governments and police services. Suprema is one of the 50 largest security manufacturer in the world and is a market leader in Europe, the Middle East and Africa.
The breach was discovered by security researchers Ran Locar and Noam Rotem of vpnMentor, who have discovered other major database security failings including the leak of personal information on 80 million Americans from a mysterious public-facing database back in April.
In this case, they used the same basic technique they used to uncover previous data breaches. They simply scanned blocks of IP addresses looking for unsecured databases, with no real hacking or penetration involved once they are found. The exposed database was an Elasticsearch type that does not allow URL access, but can be accessed through a web browser with a little manipulation. Anyone else using this same technique could come along and have access to the same data that the vpnMentor researchers had.
So what exactly was available in this database? vpnMentor issued a report indicating that they found 23 gigabytes of data in total. This included pictures of end users attached to their facial recognition data, over a million records of fingerprint data, username and password combinations in plain text including some for administrative accounts, client employee records including personal identifiable information, and records of entry and exit at client facilities.
Major companies that had identifiable information in this database include Phoenix Medical, the United Kingdom’s Tile Mountain stores, the Power World Gyms chain found throughout India and Sri Lanka, Germany’s Identbase and Belgium’s Adecco Staffing. The UK Metropolitan Police have been named in some stories, but the official vpnMentor report only mentions that they are a BioStar 2 customer with no information about anything specific to them in the breached database.
The breach was discovered on August 5, but took until August 13 to close. The vpnMentor researchers characterized BioStar staff as being “very uncooperative” after being notified, and the team had to spend nearly a week trying various European offices before the French office took action to secure the database.
Willy Leichter, VP of Marketing, Virsec, had this to say about the response:
“Unfortunately, leaking of biometric source information is the inevitable next step in a long line of security blunders. With any authentication method, from passwords to advanced biometrics, security is only as strong as its weakest link. With all the hype around biometrics and AI, we tend to overlook the basics – we’re entrusting increasingly unchangeable personal data to a network of third parties with little oversight, and few enforceable standards over how priceless personal data is handled. While GDPR lays out principles for data protection, these need to be swiftly and severely enforced for organizations that are clearly reckless.”
The dangers of stolen facial recognition and fingerprint data
Unlike a stolen password, biometrics data cannot be changed and could provide an attacker with physical access to buildings. Unlike some other fingerprinting systems, BioStar appears to have been storing the fingerprints in a directly accessible format instead of a hash. Any rogue elements that might have had access to this database before it was closed could have captured actual fingerprints along with pictures and facial recognition information, security layers that are used precisely because the end user is not able to alter them.
Tim Erlin, VP of product management and strategy at Tripwire, points out why a breach that includes both facial recognition/fingerprint data and passwords in an unencrypted form is worse than usual:
“As an industry, we’ve learned a lot of lessons about how to securely store authentication data over the years. In many cases, we’re still learning and re-learning those lessons. Unfortunately, companies can’t send out a reset email for fingerprints. The benefit and disadvantage of biometric data is that it can’t be changed.
“Using multiple factors for authentication helps mitigate these kinds of breaches. As long as I can’t get access to a system or building with only one factor, then the compromise of my password, key card or fingerprint doesn’t result in compromise of the whole system. Of course, if these factors are stored or alterable from a single system, then there remains a single point of failure.”
At the very least, individuals whose fingerprints and facial recognition data were exposed in this breach may have some difficulty in future employment situations where those items are critical to the organization’s security policy. No one can be certain who accessed this database while it was exposed or what hands this information may be in. A nightmare scenario would be for fingerprints and facial recognition information to end up in a massive criminal collection similar to the “combo lists” that are used for password attacks, making these individuals a permanent security liability anywhere biometrics systems are used.
In addition to the potential future fallout from the biometrics data, there is the matter of the unencrypted usernames and passwords. Again, it is unclear if any malicious actors discovered this database before the vpnMentor researchers did. However, if they did, they surely would have taken special notice of the users who had ridiculously basic passwords like “abcd1234.” BioStar should notify all users to change their passwords as a result of this breach, but users who are particularly lax are prime targets for attacks such as credential stuffing and spearphishing.
There is no question that terrorists will be keenly interested in any leaks of biometrics information. Spoofing of fingerprints and facial recognition data could potentially get them past critical access control systems. This possibility makes biometrics security incidents feel even more serious than the usual breaches of personal information.
Chris DeRamus, co-founder & CTO of DivvyCloud, had the following suggestions for any customers of BioStar or their employees who may have had personal details exposed by the breach:
“All individuals, including those potentially exposed in this breach, should consider checking Have I Been Pwned to see if their login credentials have been compromised. It is also critical to diversify passwords and usernames across different accounts, regularly change those passwords and enable multi-factor authentication (MFA) when possible for an extra layer of security.”
Why do cloud data breaches keep happening?
Leaky cloud-based databases have been making the news for years now. With so many high-profile incidents already, how do companies keep making this mistake – particularly a security company with a biometric database?
DeRamus provided some added thoughts on the issue:
“Leaving servers unprotected seems like such a simple mistake to avoid, but more and more companies suffer data breaches as the result of misconfigurations, and we read about them in the news almost every day. Suprema joins Aavgo, University of Chicago Medicine, Rubrik, Gearbest, Ascension and countless other organizations this year as victims of data leaks due to misconfigurations. The truth is, organizations are lacking the proper tools to identify and remediate insecure software configurations and deployments on a continuous basis. Automated cloud security solutions give companies the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, and they can even trigger automated remediation in real time.”
These database breaches are nearly always caused by human error. The worst cases are those in which the client never even follows the standard security setup, or misconfigures something that could have easily been fixed. The challenges for organizations and the need to stay on top of database configurations increases significantly as they move to multi-cloud network setups. With these different services tied together, it’s possible for a change or even a seemingly harmless update in one service to create a configuration issue in another. At minimum, organizations should be scanning their cloud services for vulnerabilities on a regular basis. For more complex setups, a vulnerability and exposure (VnE) manager can help to handle regular database security scans.