Not very Suprema: Biometric access biz bares 27 million records and plaintext admin creds

Biostar 2 goes supernova after Israeli duo's probings

Updated Two infosec researchers found 27 million personal data records, including a million people's fingerprints, exposed to the public along with plaintext admin credentials for the Suprema Biostar 2 system they were associated with.

The database powering South Korean company Suprema Inc's Biostar 2 biometric access control system - which controls entry and exit to secure areas in buildings around the globe, including "1.5 million installations worldwide" - was "unprotected and mostly unencrypted", according to a internet privacy researchers who found the flaws.

Noam Rotem and Ran Locar, two noted Israeli security researchers, told the Graun they'd discovered the database while port-scanning in the hope of finding "familiar IP blocks". Having found the database, they were then able to "manipulate the URL search criteria in Elasticsearch", in the newspaper's words, to uncover plaintext passwords of admin accounts.

From there, the duo were able to change data and add new users, Rotem told the Guardian, as well as performing all the other tasks an admin-level user could perform.

Biostar 2 is used for monitoring who goes in and out of secure sites and buildings, such as offices and warehouses. The biometric system allows employees and visitors to those sites to use traditional RFID cards as well as fingerprints as a means of gaining recorded access to certain areas.

The brochure for Biostar 2, downloadable from Suprema's website, states: "This system safely stores all information about each user including the user's name, ID, PIN, access rights and fingerprint data by storing it on a single device."

Rotem and Locar's research was carried out in association with VPNmentor, one of NordVPN's trading names. A blog post published on VPNmentor's website today goes into more detail, including how they were able to access "client admin panels, dashboards, back end controls, and permissions", users' mugshots, employee security clearance levels, home addresses and contact information – and unencrypted plaintext passwords for user accounts.

"We were easily able to view passwords across the Biostar 2 database, as they were stored as plaintext files, instead of being securely hashed," wrote Rotem and Locar. "Instead of saving a hash of the fingerprint (that can't be reverse-engineered) they are saving people's actual fingerprints that can be copied for malicious purposes."

The hole was plugged yesterday, allegedly after the duo encountered difficulties getting Suprema to pay attention to their findings. The Register has asked the company if it wishes to comment on Rotem and Locar's discoveries.

In April this year, Rotem and Locar uncovered the exposure of 80 million US households' personal details online, while Rotem himself found a glaring vulnerability in airline tech firm Amadeus's passenger reservation system. ®

Updated to add at 1400, 20 August

Suprema got in touch to provide this statement: "Last week, we were made aware that some BioStar 2 customer user data was accessed by third party security researchers without authorization for a limited period of time. There are no indications that the data was downloaded during the incident based on the investigation to date. This incident relates to a limited number of BioStar 2 Cloud API users and does not affect Suprema's other clients, users or data. The vast majority of Suprema customers do not use BioStar 2 Cloud API in their access control and time management solutions.

"We launched an internal investigation and immediately closed the access point. In addition, we have also engaged a leading global forensics firm to conduct an in-depth investigation into the incident. Based on their investigation to date, they have confirmed that no further access has occurred, and that the scope of potentially affected users is significantly less than recent public speculation.

"We are in the process of identifying affected parties and engaging the relevant authorities and regulators."

Broader topics

Narrower topics

Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022