Yottabytes: Storage and Disaster Recovery

Aug 18 2019   9:47PM GMT

Hacked Biometric Database Could Cause Problems

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
Biometrics
privacy
Security

About a year ago, it was discovered that a DNA database was hacked. At least, sort of. It was just email addresses of the users of the DNA database, not any of the DNA itself. And everyone heaved a huge sigh of relief at that, because losing data like that would be really bad.

Now, some data like that has been stolen.

“BioStar 2 is a web-based biometric security smart lock platform. A centralized application, it allows admins to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs,” writes vpnMentor, an organization that reviews VPNs, particularly their security. “Our team was able to access over 1 million fingerprint records, as well as facial recognition information. Combined with the personal details, usernames, and passwords, the potential for criminal activity and fraud is massive. Once stolen, fingerprint and facial recognition information cannot be retrieved. An individual will potentially be affected for the rest of their lives.”

Well, that’s a bummer.

The security software, produced by a company called Suprema, is used by a variety of companies worldwide, including  UK Metropolitan police, defense contractors, and banks, according to Josh Taylor in the Guardian newspaper.

The problem with stealing biometrics, such as fingerprints and faces, as opposed to credit card numbers, is that while people can always get a new credit card if one gets compromised, they can’t get new fingerprints or faces. This is related to the problem of medical identity theft: It’s not something you can change.

The breach was discovered on August 5, reported on August 7, and closed on August 13, the organization writes. Altogether, the company said it was able to access more than 27.8 million records, a total of 23 gigabytes of data. It isn’t clear how long the vulnerability was there, according to Chris Baraniuk of the BBC.

As with many other breaches, this one happened because the security for the system was so bad, the organization writes. Some people had really poor passwords, and even the good passwords were stored in plain text in a database, meaning that anyone who hacked into the database could have access to the data.

“The unsecured manner in which BioStar 2 stores this information is worrying, considering its importance, and the fact that BioStar 2 is built by a security company,” the organization writes. For example, instead of saving a hash of the fingerprint (that can’t be reverse-engineered) the company saved people’s actual fingerprints, which could be copied for malicious purposes, it warns.

So what sorts of things could hackers do with the stolen data?

  • Take over a high-level account, with user permissions and security clearances, and make changes to the security settings in a network
  • Change user permissions and lock people out of certain areas
  • Create new user accounts to give people accessto secure areas
  • Change the fingerprints of existing accountsto their own and hijack a user account to access restricted areas undetected
  • Gain access to activity logs, so they can delete or alter the data to hide their activities

The one bit of good news, according to one security researcher on Twitter, is that perhaps the data was just test data and not actual data. But it isn’t clear yet, and, not surprisingly, Suprema isn’t talking; there’s been very little new information after the initial report.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: