Latest in Tomorrow

Image credit: Yui Mok - PA Images via Getty Images

Massive biometric security flaw exposed more than one million fingerprints

The system is used by banks, police and defence companies.
842 Shares
Share
Tweet
Share

Sponsored Links

Yui Mok - PA Images via Getty Images

A biometrics system used by banks, UK police and defence companies has suffered a major data breach, revealing the fingerprints of more than one million people as well as unencrypted passwords, facial recognition information and other personal data.

Biostar 2, the biometrics lock system managed by security company Suprema, uses fingerprints and facial recognition technology to give authorised individuals access to buildings. Last month the platform was integrated into another access system -- AEOS -- which is used by 5,700 organizations across 83 countries, including the UK Metropolitan Police.

The security flaw was picked up by Israeli researchers Noam Rotem and Ran Locar, from VPN review service vpnmentor. In a routine network scan conducted last week, the pair found that Biostar 2's database was publicly available, and that by manipulating URL search criteria they were able to access nearly 28 million records and 23GB of data, including fingerprints, facial recognition data, passwords and security clearance information.

Speaking to The Guardian, Rotem said that the flaw meant he could change data and add new users, which would allow him to add his own fingerprint to the system and access whatever facilities an original user was permitted to access. He added that not only was the sheer scale of the breach shocking -- the service is used in 1.5 million locations around the world -- but the nature of the data leak will have future consequences: you can change a password but you can't change your fingerprint.

Rotem said the team made numerous attempts to get in touch with Suprema before taking their findings to the press, but have not yet had a response. However, Suprema's head of marketing, Andy Ahn, told The Guardian that the company had made an "in-depth evaluation" of vpnmentor's research and would let customers know if there was a threat.

"If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers' valuable businesses and assets," he said. The vulnerability has since been closed.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
842 Shares
Share
Tweet
Share

Popular on Engadget

SpaceX hopes to offer satellite internet to customers by mid-2020

SpaceX hopes to offer satellite internet to customers by mid-2020

View
'NBA Now' game offers a quick basketball fix on your phone

'NBA Now' game offers a quick basketball fix on your phone

View
Google Home update leaves some speakers unusable

Google Home update leaves some speakers unusable

View
BYU researchers extend WiFi range by 200 feet with a software upgrade

BYU researchers extend WiFi range by 200 feet with a software upgrade

View
Apple TV+ adaptation of 'Foundation' will star Jared Harris and Lee Pace

Apple TV+ adaptation of 'Foundation' will star Jared Harris and Lee Pace

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr