Over 1 Million Fingerprints Exposed Online

John Lister's picture

More than one million fingerprints were exposed online for at least a week, according to security researchers. The company responsible for the data says it will take immediate action if there's a security threat.

The data is held by Suprema, which operates a biometric lock system called Biostar 2. It lets building owners restrict access by fingerprint or facial recognition, rather than relying on measures such as physical keys or pass codes. The Guardian newspaper reports that Biostar 2 is used in a wider system that has 5,700 customers accessing 1.5 million locations across 83 countries.

Security researchers Ran Locar and Noam Roten say they found the exposed data while scanning for security holes online. They discovered that the Biostar 2 database was not adequately protected and could be accessed without authorization simply by correctly figuring out the URL that pointed to particular records.

Passwords Unencrypted

In total, the researchers were able to access nearly 30 million records including data for fingerprints and photos, records of security staff, and usernames and passwords for accessing and modifying records.

These unencrypted passwords were the most immediate threat as the researchers say they would have been able to replace the stored fingerprint data for a specified user with their own prints and thus gain access to buildings. Alternatively, they could simply add themselves as a new user on the database and give themselves particular access.

Perhaps even more worryingly, the fingerprint data was stored as the actual print itself. Normally such biometric data is only ever stored locally (such as on a protected phone), with remote servers instead holding a corresponding check code that can't be easily reverse-engineered to produce the print. That's a big concern given that it's not possible to change a fingerprint after a breach in the same way as changing a password.

Operators "Uncooperative"

The researchers say they found BioStar 2's operators to be "generally very uncooperative" and "largely unresponsive" when they reported the breach. The researchers waited until they confirmed the breach had been fixed before going public with their findings.

A spokesman told The Guardian that "if there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers' valuable businesses and assets." (Source: theguardian.com)

What's Your Opinion?

Should tech companies face harsher penalties for failing to protect biometric data? Do you know enough about how companies and agencies that have your fingerprints or photo secure the information? How will society respond if criminal hackers gain access to fingerprint data?

Rate this article: 
Average: 5 (7 votes)


Dennis Faas's picture

This company failed on so many levels that they should be held criminally responsible for such a leak. It's one thing to expose a database of records, but it's another to have the data easily accessible (unencrypted), fully readable, and writeable. The kicker is that the information they stored in their database is supposed to protect "bad people from the outside" from getting into buildings - yet that is exactly what they did by allowing anyone to access their database records online. Idiots!