Hackers: biometric data of millions of users open in the net
Fingerprints, facial scans, passwords and security clearance: A leak from Israel had hackers accessing the data of an international security firm.
Israeli security researchers tracked down a huge database of around one million fingerprints and other biometric data that could be accessed on the Web, virtually unprotected and unencrypted. The data comes from the Biostar 2 system of Korean security company Suprema, which claims to be Europe's market leader in biometric access control systems.
Biostar 2 works with fingerprints or facial scans on a web-based intelligent door lock platform that allows companies to self-organize access control for their offices or warehouses. As the Guardian reports, the system is also used by the British police and several defense companies and banks.
The vulnerability was discovered by Israeli hackers Noam Rotem and Ran Lokar, who work for the vpnMentor service. The vulnerability has led to full control of accounts in the system, Rotem told Calcalist .
Hackers are appalled by security standards
The two hackers had access to 27.8 million records and 23 gigabytes of data. These included fingerprint and face recognition data, user facial images, unencrypted usernames and passwords, accessibility protocols, security levels and sharing, and personal data of the staff. Moreover, they could have recreated and manipulated records in the company accounts.
The hackers were horrified that the complete biometric data was mostly stored unencrypted in the system. "Instead of storing a hash of the fingerprint that can not be rebuilt, they store the actual fingerprints of people who can be copied for malicious purposes," the hackers told The Guardian . Red and Lokar were surprised at how poorly Suprema's customers have partially hedged their accounts: "Many accounts contained ridiculously simple passwords such as" password "and" abcd1234 ".
According to Suprema's marketing director Andy Ahn, the vulnerability has now been closed. He told the Guardian that the company had made an "in-depth assessment" of the information provided by vpnMentor. One would inform the customers in case of a threat.