Massive biometric security flaw exposed nearly 28 million records

Shawn Knight

TechSpot Staff
Staff member

Security researchers with vpnmentor, a service that reviews virtual private network providers, recently found a publicly accessible database that was unprotected and mostly unencrypted.

The database in question belonged to Suprema, a security company that’s responsible for the widely used Biostar 2 biometrics lock system in use at facilities around the globe. By manipulating URL search criteria in Elasticsearch, the researchers were able to gain access to a database with nearly 28 million records.

Said database included 23GB worth of data including fingerprint data, facial recognition data, dashboards, admin panels, images of faces, facility access lots, security levels and clearances, unencrypted usernames and passwords and personal details of staff.

In testing, the researchers said they were able to access data from a medicine supplier in the UK, a car parking space developer in Finland, a gym in India and co-working organizations in the US and Indonesia. They were even able to change data and add new users.

Masthead credit: holographic fingerprint by ktsdesign

Permalink to story.

 
Last edited by a moderator:

Nero7

TS Evangelist
LMAO

One more revelation of the era of Trump.

Keep em coming.

I knew exactly why I still use numbers for unlocking my stuff. Your old god called convenience betrayed you.

In other news in china the face replaces the signature.
 
Last edited:
  • Like
Reactions: Misagt

Igrecman

TS Maniac
The Police all over the world would surely like to get all those fingerprints and ID to add to their database. I bet they would dare to add it without any authorization if the flaw allowed it.
 

stewi0001

TS Evangelist
Platinum
I went to Suprema's website, scrolled down a little and saw:

"The best decision to protect your business"

Well that isn't true anymore! XD
 
  • Like
Reactions: Impudicus

Skjorn

TS Guru
LMAO

One more revelation of the era of Trump.

Keep em coming.

I knew exactly why I still use numbers for unlocking my stuff. Your old god called convenience betrayed you.

In other news in china the face replaces the signature.
RREEEEEEEEE!!!
 
  • Like
Reactions: Impudicus

Trillionsin

TS Evangelist
I typed out a random funny comment for this, and then I was just like... yup, just another day and started asking why this is acceptable for companies. The fines for these data breaches should potentially put companies OUT of business, then they will start worrying more about being "The best decision to protect your business." but I suppose that would give more control to government and nobody really wants that, but maybe we need it. Companies don't actually care about our personal data, and apparently only have a light obligation to worry about it. Other news, we get $100 for the Equifax data breach? I know that adds up, but individually, if your information is compromised that's worth a lot more than $100... but I guess that's just my opinion.
 
  • Like
Reactions: wiyosaya and Nero7

Capaill

TS Evangelist
Ho. Ly. Sh. It.
Yet another case of security having no security. Thanks guys!
I must send my CV to them, looks like they'll hire anyone, no security competence needed.
 

Uncle Al

TS Evangelist
ROFLMAO ..... well, so much for secure log on's ...... just wait until they break into the data bank with all those eyeball records!