Not very Suprema: Biometric access biz bares 27 million records and plaintext admin creds

Biostar 2 goes supernova after Israeli duo's probings

Two infosec researchers found 27 million personal data records, including a million people's fingerprints, exposed to the public along with plaintext admin credentials for the Suprema Biostar 2 system they were associated with.

The database powering South Korean company Suprema Inc's Biostar 2 biometric access control system - which controls entry and exit to secure areas in buildings around the globe, including "1.5 million installations worldwide" - was "unprotected and mostly unencrypted", according to a internet privacy researchers who found the flaws.

Noam Rotem and Ran Locar, two noted Israeli security researchers, told the Graun they'd discovered the database while port-scanning in the hope of finding "familiar IP blocks". Having found the database, they were then able to "manipulate the URL search criteria in Elasticsearch", in the newspaper's words, to uncover plaintext passwords of admin accounts.

From there, the duo were able to change data and add new users, Rotem told the Guardian, as well as performing all the other tasks an admin-level user could perform.

Biostar 2 is used for monitoring who goes in and out of secure sites and buildings, such as offices and warehouses. The biometric system allows employees and visitors to those sites to use traditional RFID cards as well as fingerprints as a means of gaining recorded access to certain areas.

The brochure for Biostar 2, downloadable from Suprema's website, states: "This system safely stores all information about each user including the user's name, ID, PIN, access rights and fingerprint data by storing it on a single device."

Rotem and Locar's research was carried out in association with VPNmentor, one of NordVPN's trading names. A blog post published on VPNmentor's website today goes into more detail, including how they were able to access "client admin panels, dashboards, back end controls, and permissions", users' mugshots, employee security clearance levels, home addresses and contact information – and unencrypted plaintext passwords for user accounts.

"We were easily able to view passwords across the Biostar 2 database, as they were stored as plaintext files, instead of being securely hashed," wrote Rotem and Locar. "Instead of saving a hash of the fingerprint (that can't be reverse-engineered) they are saving people's actual fingerprints that can be copied for malicious purposes."

The hole was plugged yesterday, allegedly after the duo encountered difficulties getting Suprema to pay attention to their findings. The Register has asked the company if it wishes to comment on Rotem and Locar's discoveries.

In April this year, Rotem and Locar uncovered the exposure of 80 million US households' personal details online, while Rotem himself found a glaring vulnerability in airline tech firm Amadeus's passenger reservation system. ®

Sponsored: Balancing consumerization and corporate control

Biting the hand that feeds IT © 1998–2019