1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Massive biometric security flaw exposed nearly 28 million records

By Shawn Knight · 15 replies
Aug 14, 2019 at 12:18 PM
Post New Reply
  1. Security researchers with vpnmentor, a service that reviews virtual private network providers, recently found a publicly accessible database that was unprotected and mostly unencrypted.

    The database in question belonged to Suprema, a security company that’s responsible for the widely used Biostar 2 biometrics lock system in use at facilities around the globe. By manipulating URL search criteria in Elasticsearch, the researchers were able to gain access to a database with nearly 28 million records.

    Said database included 23GB worth of data including fingerprint data, facial recognition data, dashboards, admin panels, images of faces, facility access lots, security levels and clearances, unencrypted usernames and passwords and personal details of staff.

    In testing, the researchers said they were able to access data from a medicine supplier in the UK, a car parking space developer in Finland, a gym in India and co-working organizations in the US and Indonesia. They were even able to change data and add new users.

    Masthead credit: holographic fingerprint by ktsdesign

    Permalink to story.

    Last edited by a moderator: Aug 14, 2019 at 4:03 PM
  2. Nero7

    Nero7 TS Evangelist Posts: 421   +170


    One more revelation of the era of Trump.

    Keep em coming.

    I knew exactly why I still use numbers for unlocking my stuff. Your old god called convenience betrayed you.

    In other news in china the face replaces the signature.
    Last edited: Aug 14, 2019 at 12:28 PM
    Misagt likes this.
  3. QuantumPhysics

    QuantumPhysics TS Evangelist Posts: 1,363   +1,001

    Big surprise
  4. Scshadow

    Scshadow TS Evangelist Posts: 574   +228

    Are you okay? You don't sound okay.
  5. Hexic

    Hexic TS Evangelist Posts: 524   +353

    Did you hurt yourself with that reach?
  6. Igrecman

    Igrecman TS Maniac Posts: 300   +178

    The Police all over the world would surely like to get all those fingerprints and ID to add to their database. I bet they would dare to add it without any authorization if the flaw allowed it.
  7. stewi0001

    stewi0001 TS Evangelist Posts: 2,219   +1,657

    I went to Suprema's website, scrolled down a little and saw:

    "The best decision to protect your business"

    Well that isn't true anymore! XD
    Impudicus likes this.
  8. Skjorn

    Skjorn TS Maniac Posts: 370   +208

    Impudicus likes this.
  9. Trillionsin

    Trillionsin TS Evangelist Posts: 1,822   +419

    I typed out a random funny comment for this, and then I was just like... yup, just another day and started asking why this is acceptable for companies. The fines for these data breaches should potentially put companies OUT of business, then they will start worrying more about being "The best decision to protect your business." but I suppose that would give more control to government and nobody really wants that, but maybe we need it. Companies don't actually care about our personal data, and apparently only have a light obligation to worry about it. Other news, we get $100 for the Equifax data breach? I know that adds up, but individually, if your information is compromised that's worth a lot more than $100... but I guess that's just my opinion.
    wiyosaya and Nero7 like this.
  10. Capaill

    Capaill TS Evangelist Posts: 917   +505

    Ho. Ly. Sh. It.
    Yet another case of security having no security. Thanks guys!
    I must send my CV to them, looks like they'll hire anyone, no security competence needed.
  11. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,780   +1,166

    Wait until they are hit with a GDPR fine.
  12. Nero7

    Nero7 TS Evangelist Posts: 421   +170

  13. Danny101

    Danny101 TS Guru Posts: 817   +324

    This is why I don't utilize biometric unlocking mechanisms.
  14. Uncle Al

    Uncle Al TS Evangelist Posts: 5,503   +3,890

    ROFLMAO ..... well, so much for secure log on's ...... just wait until they break into the data bank with all those eyeball records!
  15. Nero7

    Nero7 TS Evangelist Posts: 421   +170

  16. VitalyT

    VitalyT Russ-Puss Posts: 4,524   +3,085

    Just checked for mine, it's not there, so we're good then.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...