HEY YOU! Yeah, you with the fingerprints! You might want to change your fingerprints as there’s been a breach. Oh, wait. That’s right, you can’t change your fingerprints (at least not without acid and pain). Well, that’s a bummer as over a million fingerprints and other biometrics have been found in a publicly accessible database.
HEY YOU! Yeah, you with the fingerprints! You might want to change your fingerprints as there’s been a breach.
Oh, wait. That’s right, you can’t change your fingerprints (at least not without acid and pain). Well, that’s a bummer as over a million fingerprints and other biometrics have been found in a publicly accessible database.
Worse still, the data from security firm Suprema is used by the likes of the Metropolitan Police, as well as banks and government contractors.
Also included are facial recognition points, user names and passwords, personal information and other dainties – and none of it was encrypted. It just sat there, publicly available if you knew where to find it.
Suprema’s primary purpose is for secure access to buildings and office premises via its Biostar 2 biometric system. It was recently integrated with the AEOS access control system, meaning it’s in use in 5700 organisations in 83 countries.
Security researchers in Israel were commissioned for an entirely separate project by VPN site vpnmentor. The discovery of the dodgy database was a side-effect. Certainly, no one should expect to see 27.8m personally identifiable records spanning 23 gigabytes, in the clear.
The resulting paper was released to The Guardian this week ahead of publication at vpnmentor.
Best practice would have seen the fingerprints turned into unbreakable hashes, but not only was this database leaky, but it was also storing the actual fingerprints – the ones that you can’t change, as images. Literally, how dumb is that.
The researchers had attempted to contact someone at Suprema before going public (as is the recognised polite practice) and received no reply, though the vulnerability is now closed.
Speaking to The Guardian, Andy Ahn, Head of Marketing at Suprema said:
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,”
Clearly, Suprema is trying to pass this off as no-big-deal – but let’s remember, if identifiable fingerprints get into the public domain, it’s game over – we won’t be able to use them any more. So it is a big deal. A ruddy big deal.
Now, where’s that bottle of acid? μ