Major breach found in biometrics system used by banks, UK police and defence firms

Prima o poi finirà questa ondata di entusiasmo per l’identificazione biometrica.

Link articolo originale

Archivio di tutti i clip:
(Notebook di Evernote).

Major breach found in biometrics system used by banks, UK police and defence firms

Fingerprints, facial recognition and other personal information from Biostar 2 discovered on publicly accessible database


Wed 14 Aug 2019 08.11 BST

Last modified on Wed 14 Aug 2019

Security company Suprema uses facial recognition, fingerprints and passwords to secure facilities for the likes of the Metropolitan Police, defence contractors and banks.
Photograph: izusek/Getty Images/iStockphoto

The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.
Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.
Last month, Suprema announced its Biostar 2 platform was integrated into another access control system – AEOS. AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police.

The Great Hack: the film that goes behind the scenes of the Facebook data scandal

Read more

The Israeli security researchers Noam Rotem and Ran Locar working with vpnmentor, a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks, and then use these blocks to find holes in companies’ systems that could potentially lead to data breaches.
In a search last week, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.
The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
Much of the usernames and passwords were not encrypted, Rotem told the Guardian.
“We were able to find plain-text passwords of administrator accounts,” he said.
“The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even.”
“We [were] able to change data and add new users,” he said.
This would mean that he could edit an existing user’s account and add his own fingerprint and then be able to access whatever building that user is authorised to access, or he could just add himself as a user with his photo and fingerprints.
In the paper about the discovery provided to the Guardian before being published by vpnmentor on Wednesday, the researchers said they were able to access data from co-working organisations in the US and Indonesia, a gym chain in India and Sri Lanka, a medicine supplier in the United Kingdom, and a car parking space developer in Finland, among others.
The researchers said the sheer scale of the breach was alarming because the service is in 1.5m locations across the world and because, unlike passwords being leaked, when fingerprints are leaked, you can’t change your fingerprint.
“Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes,” the researchers said in the paper.
The researchers made multiple attempts to contact Suprema before taking the paper to the Guardian late last week. Early Wednesday morning (Australian time) the vulnerability was closed, but they still have not heard back from the security firm.

Chinese cyberhackers ‘blurring line between state power and crime’

Read more

Suprema’s head of marketing, Andy Ahn, told the Guardian the company had taken an “in-depth evaluation” of the information provided by vpnmentor and would inform customers if there was a threat.
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn said.
Rotem said the problem wasn’t unique to Suprema.
“It’s very common. There’s literally millions of open systems, and going through them is a very tedious process,” he said. “And some of the systems are quite sensitive.”
He said supply chain vulnerabilities – where a company uses a third-party company for a service that doesn’t have appropriate security – was common but often some of the vulnerabilities discovered were with Fortune 500 companies.
Rotem said he contacts around three or four companies per week with similar issues. Earlier this year, Rotem pointed out a substantial flaw in Amadeus’s flight booking system.
“Mistakes happen, and the real test is how you handle them,” Rotem said. “If you have a security team that can respond quickly and efficiently it’s good enough. If you have a security team that will send a legal team to threaten you, well, it’s less efficient.
“And this happens quite a lot. It’s unpleasant for someone to point out you have a vulnerability or weakness. Some people take it as an opportunity to fix it and some people are offended by it for some reason.”

More people in Italy…

… like you, are reading and supporting The Guardian’s independent, investigative journalism than ever before. And unlike many new organisations, we have chosen an approach that allows us to keep our journalism accessible to all, regardless of where they live or what they can afford. But we need your ongoing support to keep working as we do.The Guardian will engage with the most critical issues of our time – from the escalating climate catastrophe to widespread inequality to the influence of big tech on our lives. At a time when factual information is a necessity, we believe that each of us, around the world, deserves access to accurate reporting with integrity at its heart.Our editorial independence means we set our own agenda and voice our own opinions. Guardian journalism is free from commercial and political bias and not influenced by billionaire owners or shareholders. This means we can give a voice to those less heard, explore where others turn away, and rigorously challenge those in power.We need your support to keep delivering quality journalism, to maintain our openness and to protect our precious independence. Every reader contribution, big or small, is so valuable. Support The Guardian from as little as €1 – and it only takes a minute. Thank you.

Support The Guardian

If you like this post, please consider sharing it.

Leave a Comment

Your email address will not be published. Required fields are marked *