While offering more security, the use of fingerprints creates even more data to be exposed. This is the case of a company that, with a vulnerability, allowed more than 1 million people to access digital services.
According to the The Guardian, the loophole has already been fixed, but it exposed facial recognition records, as well as user names and unencrypted passwords. The data is maintained by Suprema, a company that offers a biometric security system.
Named Biostar 2, it uses fingerprints and facial recognition to free access to areas such as offices and warehouses. In July, Suprema announced the integration of Biostar 2 with AEOS, another system used by 5,700 organizations, including governments, banks and the London police.
The breach was discovered by security researchers Noam Rotem and Ran Locar, together with the vpnMentor, a website that evaluates VPN services. In a side project, they scanned ports on known IP blocks for possible flaws in company systems.
In the case of Suprema, they were able to access the database through a browser and manipulate the URL to view even more information. They identified company records in countries like the United States, United Kingdom, Japan, Germany and India.
The researchers accounted for 27.8 million records, equivalent to 23 GB of data. This includes fingerprints, facial recognition, photos, usernames and passwords, access logs and information about security levels.
The vulnerability was so great that they could add users to the database, which would allow unauthorized people to access company facilities. Supreme Marketing Chief Andy Ahn told the Guardian that the company has initiated a “deep assessment” and will inform its customers if necessary.
“If there is any definite threat to our products and / or services, we will take immediate action and make appropriate announcements to protect our customers’ valuable business and assets,” he said.