The fingerprints of over 1 million people, as well facial recognition information, unencrypted passwords, and other sensitive data were apparently left by a security company unencrypted, unprotected, and available to the public.
The current incident’s culprit is Biostar 2 – a web-based facilities-security system that controls access to various sensitive buildings and other sites, and, which, in the process of doing so, utilizes fingerprints and facial recognition to positively identity people seeking access. Biostar 2 has wide reach, as it is integrated into the AEOS access control system that helps secure facilities for nearly 6,000 organizations in over 80 countries.
As reported in The Guardian, Noam Rotem and Ran Locar, the Israeli researchers who discovered the poorly protected information, claim to have been able to access almost 23 gigabytes-worth of Biostar 2 data including fingerprints, photos of users’ faces and associated facial recognition information, unencrypted usernames and passwords, logs of facility access, security authorization level information, and even security-system administrative tools. Armed with such robust access, the researchers were able to see in real time which users were accessing which locations in which facilities, as well as create new user profiles and change the profiles of existing users – meaning that unauthorized parties could potentially add their own fingerprints to the records of people who were authorized to access sensitive facilities, and thereby gain unauthorized access for themselves. (Presumably, if such parties did carry out such an attack, they would later delete the fraudulent fingerprints in order to cover their tracks.)
For well over a decade, I have been outspoken against the widespread use of fingerprints and most other forms of biometric authentication as a means for authenticating people – among the serious problems with such schemes are the fact that biometric information is not secret (you leave your fingerprints on everything that you touch, and often show them in pictures, for example), and that if biometric information is ever compromised, there is no way for anyone who is impacted to reset it.
Additionally, biometrics suffer from an inherent reuse problem: If anyone storing biometric information mishandles it, all parties relying on the same biometrics suffer from a potentially severe vulnerability. There is little doubt, for example, that hackers who obtain fingerprint data from a weakly-protected system will attempt to utilize the data to compromise other systems that rely on fingerprint-based authentication. (In some cases, criminals might even be able to leverage stolen biometric data in order to leave identifiers (e.g., artificially-generated fingerprints) at the scenes of crimes so as to shift blame from themselves to innocent parties.)
As such, it does not matter how much a firm spends on security, or how well it implants its various defenses; if someone else is negligent with the same or related biometric information, the former’s digital Fort Knox can quickly start to resemble the latter’s virtual sand castle.
In the case of Biostar 2, for example, researchers claim that the system stored actual fingerprint data rather than a one-way-hash representation of the data, thereby violating what one might consider one of the cardinal rules of authentication security. When such data is improperly protected, as researchers claim it was, each and every entity around the globe that relies on fingerprints to authenticate users may be exposed to potential breaches if any of its users’ fingerprints are in the Biostar 2 database. And, as I have pointed out countless times in the past, unlike in the case of compromised passwords, there is no practical way for any person to reset his or her fingerprints – he/she is stuck using “compromised credentials” for the rest of his/her life.
When it comes to Biostar 2, the problem is perhaps even more severe as the weakly protected biometric information is likely already used in multiple locations. As Matan Or-El, Co-Founder and CEO of Panorays pointed out, “Because Suprema is connected to thousands of organizations across the world, this compromised data has the power to rattle the entire supply chain. “
We need to rethink our use of biometrics en masse. Yes, biometric authentication is convenient. And, yes, it certainly has its place. But, such authentication is widely overused today – often without proper care and concern – thereby undermining its potency when actually needed, and creating risks that we should not take.