Suprema plays down leaked fingerprint reports

  • The biometric-security firm Suprema has tried to mitigate reports that its software exposed “a million” fingerprints earlier this month, making them vulnerable to online hackers.

    The company’s Biostar 2 programme was was accessed online by Israeli cyber-security researchers, Noam Rotem and Ran Locar earlier this month, who say they have found substantial data from companies that use the system.

    Suprema said the access point had now been closed and an investigation had found the scope of the leak to be "significantly less" than reported.

    The cyber-security researchers involved, however, are standing by their research.

    They found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

    Mr Rotem told BBC News the evidence he had obtained definitely indicated that large amounts of biometric data had been made available online.

    Facial recognition information, unencrypted usernames and passwords, and personal employee information were all also discovered on a publicly accessible database.

    South Korea-headquartered Suprema makes a range of products, including fingerprint readers that allow companies to control access to specific areas of sites or buildings. The Biostar 2 programme uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.

    Last month, Suprema announced the platform was integrated into another access control system – AEOS, which is used by 5,700 organisations in 83 countries, including governments, banks, defence contractors and even the UK Metropolitan police.

    However, a police spokeswoman told BBC News: "No Met biometrics systems have been exposed as part of this breach based on our assessment."

    The company said in a statement that they were “made aware that some Biostar 2 customer user data was accessed by third-party security researchers without authorisation for a limited period of time. There are no indications that the data was downloaded during the incident based on the investigation to date. We have also engaged a leading global forensics firm to conduct an in-depth investigation into the incident.”

    "Based on their investigation to date, they have confirmed that no further access has occurred and that the scope of potentially affected users is significantly less than recent public speculation."

    Suprema added it was in the process of identifying affected parties and engaging with relevant regulators and authorities.

    The dispute over how big the leak was can be explained by the fact the researchers say they “did not download everything, because it would be unethical” according to Mr Rotem. He went on to say they had taken “hundreds” of data samples, which appeared to encode fingerprint patterns from a random selection of accounts in the Biostar 2 dataset.

    They then used Suprema's software to convert about half a dozen examples into visible fingerprint patterns.

    From this, they estimated the dataset contained "at least over a million" fingerprint patterns in total.

    Following the publication of VPNMentor's report on the data exposure, some had questioned the extent to which real fingerprint data had been accessible.

    However, a security researcher at University College London who was not involved in the work done by Mr Rotem and his team said he understood why the researchers did not download the full dataset, given there may be ethical and legal implications in doing so.

    "If they see a million files and they download 100 at random, there's a good reason to believe the rest have that data as well," said Dr Steven Murdoch.

    "They're limiting the privacy invasion for legal and ethical reasons. They've identified a problem - the scale is actually something for the regulator to sort out."

    This month saw a particular rise in data leaks across online companies, with details of UK journalists leaked by US Entertainment Software Association at the beginning of August, and the discovery that security vulnerability in iPhone iMessage may allow online hackers to read personal data.

     

    Source: BBC News/Guardian

    About the author

    Niamh is a Sync NI writer with a previous background of working in FinTech and financial crime. She has a special interest in sports and emerging technologies. To connect with Niamh, feel free to send her an email or connect on Twitter.

    Got a news-related tip you’d like to see covered on Sync NI? Email the editorial team for our consideration.

    Sign up now for a FREE weekly newsletter showcasing the latest news, jobs and events in NI’s tech sector.

Share this story