Incident Of The Week: Passwords And Biometrics Info For One Million Users Exposed In BioStar 2 Data Breach
Unlike Identification Numbers, Fingerprints And Iris Data Are Not Replaceable
Measurements of human biology – aka biometrics – have long been considered the most secure form of personal identification. Fingerprints, the eye’s iris patterns, and DNA coding are unique to each person. Security researchers and academia have touted biometrics as the ultimate replacement for password-based authentication.
Unlike government-issued identification numbers or employee access cards that can be disabled and reissued, our personal biomarkers cannot be replaced. So long as biometric records are kept separate from personally identifiable information (PII), the authentication process is considered secure. With commercial biometrics scanning and authentication systems now possible, the opportunity to secure access to sensitive data stores and facilities has become feasible for more than just government applications.
Some observers said it was only a matter of time before biometrics data was compromised. “You can’t change your fingerprint, or your iris, or your face, the way you can change your social security number or phone number, once it’s compromised,” Jay Stanley a senior policy analyst for the American Civil Liberties Union, said in a NBC News interview on the growth of biometrics for travel security.
Fingerprints And User Photos Discovered Unencrypted On Internet
Those prognosticators are uttering “I told you so” this week on the news that fingerprints, facial recognition records, and authentication credentials were discovered on the internet for more than 1 million users of the BioStar 2 biometric security smart lock platform. The web-based platform enables facility administrators to manage access control settings and record entrance/exit activity logs.
The web app is built by Suprema and is deployed globally. The company was ranked #1 in Biometric Access Control market share for EMEA by IHS Markit in 2017. Suprema partners with access control system providers to enable the full hardware and software solution. In June, Suprema announced it had integrated the BioStar 2 platform into Nedap’s access control system, AEOS. AEOS is used by 5,700 organizations in 83 countries, including governments, banks and the police.
The data breach was discovered earlier this month by internet privacy researchers Noam Rotem and Ran Locar with vpnMentor. In total, researchers accessed 27.8 million online records spanning 23 GB of data. Exposed data included:
- Access to client admin panels, dashboards, back end controls, and permissions
- Fingerprint data
- Facial recognition information and images of users
- Unencrypted usernames, passwords, and user IDs
- Records of entry and exit to secure areas
- Employee records including start dates, security levels, and clearances
- Personal details, including employee home address and emails
- Businesses’ employee structures and hierarchies (org charts)
- Mobile device and OS information
It took about one week from the time that the breach was discovered until Suprema fixed the concern. The researchers also observed that many passwords used weak “Password” and “abcd1234” phrases that are known to be present in common dictionary attacks on credentials.
“We are currently giving away biometric information to multiple platforms and providers,” said Zak Doffman in a Forbes article on the biometrics incident. “Our phones, our banks, our immigration services, to name but a few. Every time we do this, our risk increases.” As businesses, services, and society become increasingly connected, information that was never intended to be accessible will become available.
Emerging technologies, such as machine learning algorithms applied to new and larger data sets, similarly increase the chance that previously separate data points will be correlated. This technology enablement is the crux of credential stuffing attacks and the basis for concern that is driving the need for third-party risk management (TPRM).
Cautionary Tales For The Enterprise CISO
It goes without saying that this security breach should never have occurred. Cyber Security Hub sees two primary areas of concern that security leaders can action back to their teams:
- Manipulation of access control systems and logs
- The convenience of a SaaS control and management application should be weighed against the security risks. Have third-party risk assessments been completed for SaaS and PaaS providers?
- Understand the risk and ramifications (for SIEM, for breach forensics, for compliance and reporting, etc.) of adding/changing/removing access log entries.
- Compromising biometric user data that cannot be replaced
- Does the biometrics database co-mingle with other authentication databases?
- What alternative authentication factors are acceptable in the absence of biometrics?