Biostar 2 Breach: Fingerprints and Facial Recognition available on open API

A huge security hole exposed fingerprints of over 1 million people along with facial recognition information, unencrypted usernames and passwords, and employment details from Biostar 2, a biometric security platform made by South Korean based Suprema Inc.  that manages building access and physical security for thousands of companies worldwide.

vpnMentor, a security test company, was able to connect directly to the underlying Elasticsearch database over web connections. They found that the data was not only accessible without any security, but that most of the database, including passwords, was stored in plain text with no encryption.

What was more disturbing is that when vpnMentor tried to alert the Biostar 2 team to the breach, they found the company unresponsive – here’s what vpnMentor said on their blog posting:

However, we found BioStar 2 generally very uncooperative throughout this process. Our team made numerous attempts to contact the company over email, to no avail. Eventually, we decided to reach out to BioStar 2’s offices by phone. Again, the company was largely unresponsive. 

Upon speaking to a member of their German team, we received a mumbled reply that “we don’t speak to vpnMentor”, before the phone was suddenly hung up. This suggests they were aware of us, and our attempts to resolve the issue.

If the only option is to turn off the http interface to ElasticSearch, the team might have found themselves shutting down access to thousands of buildings around the world. The balance between access and security should never be this kind of Catch 22 where neither choice is acceptable – either choice alienates your customers and will cost millions of dollars.

As a side note, Cloudentity’s MicroPerimeter™ Edge solution can be put in front of any http resource, making it easier to add scalable security to web infrastructure like this.

The original vpnMentor blog can be found here:
https://www.vpnmentor.com/blog/report-biostar2-leak/

And here are a few more news links:

The Guardian: Major breach found in biometrics system used by banks, UK police and defence firms
https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms

The Verge: Huge security flaw exposes biometric data of more than a million users
https://www.theverge.com/2019/8/14/20805194/suprema-biostar-2-security-system-hack-breach-biometric-info-personal-data

“Atrocious” Security Practise Cause Fingerprint Hack
https://www.businesscloud.co.uk/news/atrocious-security-practice-caused-fingerprint-hack