Suprema's Biostar 2 has recently become integrated with Nedap's AEOS access control system, used by close to 6,000 organizations worldwide including enterprises, SMBs, governments, banks, and the UK Metropolitan Police.
According to Rotem and Locar, "huge parts of Biostar 2's database are unprotected and mostly unencrypted."
An Elasticsearch database was in use which is not typically designed with URLs in mind, but the team was able to access the database through a browser and perform searches of the exposed information.
The data breach leaked over 27.8 million records, accounting for roughly 23GB of data. Amongst the information leaked was over one million fingerprint records, images of users and linked facial recognition data, records of entry to secure areas, employee information, user security levels and clearances, staff personal details -- such as their email and home addresses -- and mobile device records.
In addition, the database leaked plaintext, unencrypted access credentials belonging to employees, which the cybersecurity researchers say could be used by attackers to gain unauthorized access to secure facilities.
Many of the account credentials used simple passwords, such as "Password" or "abcd1234," which by rights should not ever be allowed to be created in the first place -- and certainly not by a security platform.
vpnMentor said clients involved in the security lapse include coworking companies in the US, India, and Sri Lanka; a medical company in the UK, DIY suppliers, a traditional Chinese medical supplier, festival organizers, and human resource firms, among others.
A leak of this nature is a serious affair. Biometric information cannot be changed in the same way as a credit card number, and once compromised, there is no going back. In addition, the account takeover potential and the ability to potentially add fingerprints and images to accounts to tamper with secure facilities should be considered alarming.
"Hackers can change the fingerprints of existing accounts to their own and hijack a user account to access restricted areas undetected," the researchers say. "Hackers and other criminals could potentially create libraries of fingerprints to be used any time they want to enter somewhere without being detected."
vpnMentor says that after reaching out to Biostar 2 two days after discovery, on August 7, the company was "generally very uncooperative throughout this process."
Emails failed, phone calls were made and the researchers were hung up on, and in one case, the reply given was, "we don't speak to vpnMentor." Attempts to contact the firm's GDPR compliance officer were also ignored.
The researchers eventually made contact with the French arm of Biostar 2 which was cooperative and the breach was closed on August 13. vpnMentor said:
"As ethical hackers, we are obliged to reach out to websites when we discover security flaws. This is especially true when a company's data breach affects so many people and contains such sensitive data.
However, these ethics also mean we carry a responsibility to the public. Biostar 2 customers and their employees must be aware of the risks they take when using technology that makes so little effort to protect their users."
ZDNet has reached out to Suprema and the UK Metropolitan Police and will update if we hear back.
These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)