Researchers with the digital security firm VPNMentor have alleged a serious security issue concerning Biostar 2, Suprema’s popular biometric access control system.
The researchers say they were able to gain access to BioStar 2 databases containing fingerprint and facial biometrics data, usernames and passwords, and the personal information of employees of companies using BioStar 2. The researchers added that much of the username and password data was unencrypted, and that the fingerprint biometric data was not hashed to prevent reverse engineering.
The researchers say they discovered the vulnerability on August 5th, and that the publicly accessible server on which the data was stored was made private on August 13th.
BioStar 2 is used by numerous major organizations around the world, including co-working organizations in the US and Indonesia, and the UK’s Metropolitan Police.
Responding to a request for comment from The Guardian, a Suprema spokesperson said the company has launched an “in-depth evaluation”, adding, “If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets.”
The FIDO Alliance, meanwhile, has taken the opportunity to once again highlight the advantages of on-device authentication, in which biometric data (and other information used for authentication) is not stored on a central server that can be breached. “All #FIDO standards dictate that #biometrics, when used, are ALWAYS stored on the device and NEVER on a central server,” the consortium posted on Twitter.
That having been said, the security vulnerability’s exposure has arrived at a time of growing enthusiasm over liveness detection, in which a given biometric authentication process also seeks to ensure that the legitimate, authorized subject is indeed present. Many biometrics, including fingerprints and especially faces, are by their nature public data, so the compromise of this kind of information does not have to present a security problem when adequate liveness detection is being used in authentication security.
August 14, 2019 by Alex Perala