Privacy researchers at vpnmentor have uncovered a huge data breach in security platform Biostar 2, a centralised biometric access control system used by UK police forces and major banks. Biostar 2 uses facial recognition and fingerprinting technology to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs.
Vpnmentor says it was able to access over 27.8 million records, a total of 23 gigabytes of data, on a publicly accessible database.
Maybe the biggest concern in this leak is its size. BioStar 2’s users are spread around the world, with potential future users including governments, banks, universities, defense contractors, police, and multinational businesses.
„The platform has over 1.5 million worldwide installations, and all of these could be vulnerable to this leak. The total number of people affected could be in the tens of millions.”, according to Vpnmentor.
The data leaked includes detailed personal information of employees and unencrypted usernames and passwords as well as access to over 1 million fingerprint records, as well as facial recognition information.
Researchers at vpnmentor say the breach would enable hackers to gain complete access to admin accounts on Biostar 2, enabling them to change user accounts and create their own accounts. Furthermore, hackers can change the fingerprints of existing accounts to their own and hijack a user account to access restricted areas undetected.
Says the firm: „Hackers and other criminals could potentially create libraries of fingerprints to be used any time they want to enter somewhere without being detected.”
The app is built by Suprema, one of the world’s top 50 security manufacturers, with the highest market share in biometric access control in the EMEA region. Suprema recently partnered with Nedap to integrate BioStar 2 into their AEOS access control system.
AEOS is used by over 5,700 organizations in 83 countries, including some of the biggest multinational businesses, many small local businesses, governments, banks, and even the UK Metropolitan Police.
The researchers say they made multiple unsuccessful attempts to contact Suprema before taking the paper to the Guardian broadsheet late last week. Early Wednesday morning the vulnerability was closed.
„For more than a week now, ScoreRise enrolls daily hundreds of users through an innovative facial recognition interface. Enrollment takes less than a minute and it does not require presence of a human operator or video recording. And, of course, it stays fully GDPR compliant with help from Reff & Associates and Deloitte Romania.”