Israeli researchers said Wednesday they had discovered a publicly accessible database, belonging to a major internet security tool, that enabled anyone in the world to gain access to over a million fingerprints, face recognition information, usernames, passwords and more.
The tool, Biostar 2 by South Korean firm Suprema, is used by thousands of companies and organizations including banks, defense companies and British police to control entry into secure locations and identify authorized persons.
The experts said the leak may have revealed millions of people’s data.
Cybersecurity experts Noam Rotem and Ran Locar, working with website VPNmentor, said biometric data stored on Suprema’s servers had been found readily available and unprotected.
The data amounted to 23 gigabytes and 30 million records, they said.
“We were able to find plain-text passwords of administrator accounts,” Rotem told the Guardian. “The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even.”
He added that the team was able to change data in files and add new unauthorized users to the database, undermining security at numerous sites.
VPNmentor said in a blog post the data “could be used in a wide range of criminal activities that would be disastrous for both the businesses and organisations affected, as well as their employees or clients.”
Rotem added that Suprema had been resistant to the team’s efforts to contact the company. The researchers have not heard back from the firm, though the database was no longer available after its vulnerability was exposed.
But Rotem noted that once biometric data is out in the open, there’s no going back, as individuals cannot change their faces or prints.
A company spokesman said it had looked into the matter but did not acknowledge a breach.
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” he said.
Rotem added that such issues were disturbingly common, and that he contacts multiple companies a week to report insecure data.
“It’s very common. There’s literally millions of open systems,” he said. “And some of the systems are quite sensitive.”