Privacy researchers at vpnmentor have uncovered a huge data breach in security platform Biostar 2, a centralised biometric access control system used by UK police forces and major banks. Biostar 2 uses facial recognition and fingerprinting technology to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs.
Vpnmentor says it was able to access over 27.8 million records, a total of 23 gigabytes of data, on a publicly accessible database.
Maybe the biggest concern in this leak is its size. BioStar 2’s users are spread around the world, with potential future users including governments, banks, universities, defense contractors, police, and multinational businesses.
„The platform has over 1.5 million worldwide installations, and all of these could be vulnerable to this leak. The total number of people affected could be in the tens of millions.”, according to Vpnmentor.
The data leaked includes detailed personal information of employees and unencrypted usernames and passwords as well as access to over 1 million fingerprint records, as well as facial recognition information.
Researchers at vpnmentor say the breach would enable hackers to gain complete access to admin accounts on Biostar 2, enabling them to change user accounts and create their own accounts. Furthermore, hackers can change the fingerprints of existing accounts to their own and hijack a user account to access restricted areas undetected.
Says the firm: „Hackers and other criminals could potentially create libraries of fingerprints to be used any time they want to enter somewhere without being detected.”
The app is built by Suprema, one of the world’s top 50 security manufacturers, with the highest market share in biometric access control in the EMEA region. Suprema recently partnered with Nedap to integrate BioStar 2 into their AEOS access control system.
AEOS is used by over 5,700 organizations in 83 countries, including some of the biggest multinational businesses, many small local businesses, governments, banks, and even the UK Metropolitan Police.
The researchers say they made multiple unsuccessful attempts to contact Suprema before taking the paper to the Guardian broadsheet late last week. Early Wednesday morning the vulnerability was closed.
„Tendinţele pe care le-am remarcat înainte de începerea pandemiei s-au accelerat pe perioada stării de urgenţă. Am văzut acest lucru ca o oportunitate, un tipping point pentru bancă. Post-pandemie nu avem cum sa ne întoarcem la comportamentul financiar pe care îl aveam până în februarie a.c. Relaţia românilor cu online-ul s-a schimbat. In plus, cardul fizic se va dematerializa. Vom asista la o scădere a cererii pentru cardurile fizice, respectiv la o creştere a preferinţei pentru componenta digitală a acestora.”