Biometrics security fails: fingerprints and facial recognition data leaked

Biometrics security casts a shadow on itself due to the recent data leak

Users of Biometrics systems got their fingerprints, facial recognition, and other sensitive data exposed

Biometrics authentication^[1] which is used for recognizing a particular human being has recently had a questionable look at its safety. Cybersecurity specialists discovered an unprotected and unencrypted database online that belonged to a biometric system-based organization Suprema.^[2]

Here researchers found numerous fingerprints and facial recognition information of over one million people. All of these details were gathered by police departments, governments, and businesses which used this type of data in order to identify employees and let particular authorities to access systems.

The equipment which is used for biometrics services is known as BioStar 2. This piece of software allows functions such as fingerprint scanning and facial recognition for business purposes. The technique often lengthens the identification process every time and the tool is employed by around 6,000 companies worldwide:^[3]

AEOS is used by over 5,700 organizations in 83 countries, including some of the biggest multinational businesses, many small local businesses, governments, banks, and even the UK Metropolitan Police.

Leaked information included more details than first expected

According to the latest research made by cybersecurity specialists, it was confirmed that not only biometric-related details were included in the exposed database. Experts also discovered that the system was holding and leaking other information about the users, including names and passwords, residence place, email addresses, and similar.^[4] What is even worse, the leak also affected the employees of the company, which means that, in case of data compromise, malicious actors could gain access to further information within the organization.

The amount of exposed information is massive – 27.8 million records that take up to 23 GB of space.^[5] The most alarming aspect of the data breach is that resetting password to prevent the further access of the compromised account is relatively easy, but changing your own fingerprints or facial characteristics without surgical intervention is almost impossible.

The consequences of this biometrics disaster could be irreversible, as researchers claim:

Hackers can change the fingerprints of existing accounts to their own and hijack a user account to access restricted areas undetected. Hackers and other criminals could potentially create libraries of fingerprints to be used any time they want to enter somewhere without being detected.

The exposure was stopped 8 days after discovery

Since the initial discovery of a leaky database on August 5th, the data that was accessible to everyone was secured eight days later. While there is no harm left regarding the Suprema-owned server, there is no accurate information about past events and whether there are any victims who got their biometrics and other data stolen by cybercriminals. Furthermore, Suprema did not show interest in revealing any particular details about this incident and attempts to reach the company have failed.

Biometrics data is unique and can be used to protect access to vital data and also saves time when doing so. However, the Suprema data leak shows how dangerous such information can be when it is not adequately protected. In the end, the impact of the ordeal might only be discovered years from now on.