Massive Suprema Biostar 2 Security Flaw Leaks Biometric Data On 1 Million Users

Unfortunately, we have another security breach to report on today, and this one involves biometric data on over million people that improperly secured. The system in question is the Suprema Biostar 2 platform, which is used to secure commercial and government building around the globe.

Vpnmentor security researchers Noam Rotem and Ran Locar discovered the exploit, which made fingerprint/facial recognition data along with unhashed passwords and usernames available through a publicly accessible database. In total, nearly 28 million records were accessible, weighing in at 23 gigabytes.

facial data

“We were able to find plain-text passwords of administrator accounts,” Rotem explained. “Millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even.”

Even more concerning is that fact that Rotem adds, “We [were] able to change data and add new users." In practice, the researchers could have added their own fingerprint data to the database or change existing fingerprint or facial information in any record. So, in theory, you'd be able to add your photo and fingerprint to the database, and have access to secure facilities with this exploit.

Considering that the Biostar 2 platform, which is now linked with the complementary AEOS security system that is used in 83 counties around the world, the implications of this security breach could have been far reaching. It doesn't take a rocket scientist to realize that unauthorized parties entering secure areas of commercial and government builds represents an even greater, physical security threat beyond the primary cybersecurity threat.

Suprema was initially unresponsive once the Vpnmentor team approached it with the findings. While Suprema never responded to the researchers directly, the security holes were closed this morning. However, a spokesman for Suprema did tell The Guardian that it would alert its customers if any of their data was compromised by a malicious party. At this point, it is unknown if unscrupulous hackers were able to pilfer through the security hole before Rotem and Locar made their discovery.