Security researchers at VPNMentor say they gained access to 27.8 million records and 23 GB of data, including unencrypted fingerprint data, logs of facility access, security levels and clearance, and personal details of staff, after penetrating a poorly configured database of biometric security platform Biostar 2.
The white hats, Noam Rotem and Ran Locar, say they got a “mumbled” response when they tried to disclose the vulnerability by phone, no response to emails and failed to reach owner Suprema’s GDPR compliance officer.
Biostar 2 is “a web-based, open, and integrated security platform that provides comprehensive functionality for access control and time and attendance”.
Suprema’s head of marketing, Andy Ahn, told the Guardian: “If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets.”
The initial breach was the result, in part, of a poorly configured Elasticsearch database. “We were able to access it via browser and manipulate the URL search criteria into exposing huge amounts of data” Rotem and Locar said.
Jake Moore, Cybersecurity Specialist at ESET, said: “Leaving passwords, including admin based passwords, unencrypted in 2019 is a schoolboy error.
“Password managers are a good start to store passwords and keep them different and complex. Secondly, setting up two-factor authentication for all accounts where possible will help mitigate more risks. The issue here is once your biometric data is stolen, your fingerprints and eyes only have a limited number of changes before there aren’t any more options…”
Biostar 2 Hack: Plain Text, Week Passwords, Worse…
Biostar 2 has the highest market share in biometric access control in the EMEA region, VPNMentor notes, adding that Suprema recently partnered with Dutch technology company Nedap to integrate Biostar 2 into their AEOS access control system.
AEOS is used by over 5,700 organizations in 83 countries, including some of the biggest multinational businesses, many small local businesses, governments, banks, and even the UK Metropolitan Police. While there is no claim that the latter has been breached, the incident raises further questions about supply chain security.
The UK companies exposed by this incident, listed in VPNmentor’s blog, appear to be generally low profile, including a Chinese medicine supplier and a tiling company. Data belonging to Germany’s Identbase, a commercial ID and access card printing technology firm was also found in the exposed database.
The possibility for escalating the attack seems substantial, however.
The white hats noted: “One of the more surprising aspects of this leak was how unsecured the account passwords we accessed were. Plenty of accounts had ridiculously simple passwords, like “Password” and “abcd1234”. It’s difficult to imagine that people still don’t realize how easy this makes it for a hacker.”
They added: “With this leak, criminal hackers have complete access to admin accounts on Biostar 2. They can use this to take over a high-level account with complete user permissions and security clearances, and make changes to the security settings in an entire network. Not only can they change user permissions and lock people out of certain areas, but they can also create new user accounts – complete with facial recognition and fingerprints – to give themselves accessto secure areas.”
John Sheehy, Director of Strategic Security Services at security services and research firm, IOActive, said in an emailed comment: “The more secure an organization itself is, the more attractive that organization’s supply chain becomes in the mind of the attacker. Most threat actors organizations face today are very smart.
“They know they don’t actually need to leverage a sophisticated, complex supply chain hack to wreak havoc on a network, steal data or intellectual property, or cause catastrophic damage. All they really need to do is look for the weak spots – such as plain text passwords, unpatched servers, unencrypted data and systems or send out a simple phishing email. That’s why, if you’re not protecting your own network against basic threat actors, doing your due diligence to properly patch, and holding your suppliers accountable for securing their own networks and encrypting data, you have no hope in protecting against nation-states or more capable threat actors.”