Latest in Tomorrow

Image credit: Yui Mok - PA Images via Getty Images

Massive biometric security flaw exposed more than one million fingerprints

The system is used by banks, police and defence companies.
822 Shares
Share
Tweet
Share
Save

Sponsored Links

Yui Mok - PA Images via Getty Images

A biometrics system used by banks, UK police and defence companies has suffered a major data breach, revealing the fingerprints of more than one million people as well as unencrypted passwords, facial recognition information and other personal data.

Biostar 2, the biometrics lock system managed by security company Suprema, uses fingerprints and facial recognition technology to give authorised individuals access to buildings. Last month the platform was integrated into another access system -- AEOS -- which is used by 5,700 organizations across 83 countries, including the UK Metropolitan Police.

The security flaw was picked up by Israeli researchers Noam Rotem and Ran Locar, from VPN review service vpnmentor. In a routine network scan conducted last week, the pair found that Biostar 2's database was publicly available, and that by manipulating URL search criteria they were able to access nearly 28 million records and 23GB of data, including fingerprints, facial recognition data, passwords and security clearance information.

Speaking to The Guardian, Rotem said that the flaw meant he could change data and add new users, which would allow him to add his own fingerprint to the system and access whatever facilities an original user was permitted to access. He added that not only was the sheer scale of the breach shocking -- the service is used in 1.5 million locations around the world -- but the nature of the data leak will have future consequences: you can change a password but you can't change your fingerprint.

Rotem said the team made numerous attempts to get in touch with Suprema before taking their findings to the press, but have not yet had a response. However, Suprema's head of marketing, Andy Ahn, told The Guardian that the company had made an "in-depth evaluation" of vpnmentor's research and would let customers know if there was a threat.

"If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers' valuable businesses and assets," he said. The vulnerability has since been closed.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
822 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's 2019 Back-to-School Guide

Engadget's 2019 Back-to-School Guide

View
Terminator T-800 and The Joker are coming to 'Mortal Kombat 11'

Terminator T-800 and The Joker are coming to 'Mortal Kombat 11'

View
Microsoft contractors listened to what people told their Xbox consoles

Microsoft contractors listened to what people told their Xbox consoles

View
Tesla delays price hike for self-driving upgrade

Tesla delays price hike for self-driving upgrade

View
New wristband could predict aggressive outbursts in people with autism

New wristband could predict aggressive outbursts in people with autism

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr