Not very Suprema: Biometric access biz bares 27 million records and plaintext admin creds
Biostar 2 goes supernova after Israeli duo's probings
Updated Two infosec researchers found 27 million personal data records, including a million people's fingerprints, exposed to the public along with plaintext admin credentials for the Suprema Biostar 2 system they were associated with.
The database powering South Korean company Suprema Inc's Biostar 2 biometric access control system - which controls entry and exit to secure areas in buildings around the globe, including "1.5 million installations worldwide" - was "unprotected and mostly unencrypted", according to a internet privacy researchers who found the flaws.
Noam Rotem and Ran Locar, two noted Israeli security researchers, told the Graun they'd discovered the database while port-scanning in the hope of finding "familiar IP blocks". Having found the database, they were then able to "manipulate the URL search criteria in Elasticsearch", in the newspaper's words, to uncover plaintext passwords of admin accounts.
From there, the duo were able to change data and add new users, Rotem told the Guardian, as well as performing all the other tasks an admin-level user could perform.
Biostar 2 is used for monitoring who goes in and out of secure sites and buildings, such as offices and warehouses. The biometric system allows employees and visitors to those sites to use traditional RFID cards as well as fingerprints as a means of gaining recorded access to certain areas.
The brochure for Biostar 2, downloadable from Suprema's website, states: "This system safely stores all information about each user including the user's name, ID, PIN, access rights and fingerprint data by storing it on a single device."
Rotem and Locar's research was carried out in association with VPNmentor, one of NordVPN's trading names. A blog post published on VPNmentor's website today goes into more detail, including how they were able to access "client admin panels, dashboards, back end controls, and permissions", users' mugshots, employee security clearance levels, home addresses and contact information – and unencrypted plaintext passwords for user accounts.
"We were easily able to view passwords across the Biostar 2 database, as they were stored as plaintext files, instead of being securely hashed," wrote Rotem and Locar. "Instead of saving a hash of the fingerprint (that can't be reverse-engineered) they are saving people's actual fingerprints that can be copied for malicious purposes."
The hole was plugged yesterday, allegedly after the duo encountered difficulties getting Suprema to pay attention to their findings. The Register has asked the company if it wishes to comment on Rotem and Locar's discoveries.
In April this year, Rotem and Locar uncovered the exposure of 80 million US households' personal details online, while Rotem himself found a glaring vulnerability in airline tech firm Amadeus's passenger reservation system. ®
Updated to add at 1400, 20 August
Suprema got in touch to provide this statement: "Last week, we were made aware that some BioStar 2 customer user data was accessed by third party security researchers without authorization for a limited period of time. There are no indications that the data was downloaded during the incident based on the investigation to date. This incident relates to a limited number of BioStar 2 Cloud API users and does not affect Suprema's other clients, users or data. The vast majority of Suprema customers do not use BioStar 2 Cloud API in their access control and time management solutions.
"We launched an internal investigation and immediately closed the access point. In addition, we have also engaged a leading global forensics firm to conduct an in-depth investigation into the incident. Based on their investigation to date, they have confirmed that no further access has occurred, and that the scope of potentially affected users is significantly less than recent public speculation.
"We are in the process of identifying affected parties and engaging the relevant authorities and regulators."