Researchers said they have found a publicly accessible database containing almost 28 million records — including plain-text passwords, face photos, and personal information — that was used to secure buildings around the world.
Researchers from vpnMentor reported on Wednesday that the database was used by the Web-based Biostar 2 security system sold by South Korea-based Suprema. Biostar uses facial recognition and fingerprint scans to identify people authorized to enter warehouses, municipal buildings, businesses, and banks. vpnMentor said the system has more than 1
According to vpnMentor, the 23-gigabyte database contained more than 27.8 million records used by Biostar to secure customer facilities. The data included usernames, passwords and user IDs in plaintext, building access logs, employee records including start dates, personal details, mobile device data, and face images.
“Ridiculously simple passwords”
“One of the more surprising aspects of this leak were how unsecured the account passwords we were accessed, ”vpnMentor Internet Privacy Researchers Noam Rotem and Ran Locar wrote. “Plenty of accounts had ridiculously simple passwords, like 'Password' and 'abcd1234'. "
The researchers said the data also included more than 1 million records containing actual fingerprint scans. Wednesday's report provided no data to support the claim, and vpnMentor researchers responded to a request from Ars to send examples of records that included such scans. TechCrunch security reporter Zack Whittaker said on Twitter that his investigation of several scrambled hashes was inconclusive.
Security experts widely agree that the best way to store or transmit biometric data is by hashing it first to prevent third parties from getting it in the event of a breach. If it turns out the database includes more than 1 million actual fingerprints, it would be a serious breach because it would expose the people the prints were facing to, and the companies of the people worked for, to fraud.
Some of the organizations whose information was publicly included:
- Uptown – Jakarta -based coworking space with 123 users.
India and Sri Lanka
- Power World Gyms – High-class gym franchise with branches across both countries. We accessed 113,796 user records and their fingerprints.
- Global Village – An annual cultural festival, with access to 15,000 fingerprints.
- IFFCO – Consumer food products group .
- Euro Park – Car parking space developer with sites across Finland.
- Ostim – Industrial zone construction developer.
- Inspired.Lab – Coworking and design space in Chiyoda City, Tokyo.
- Adecco Staffing – We found approximately 2,000 fingerprints connected to the staffing and human resources giant.
- Identbase – Data belonging to this supplier of commercial ID and access card printing Technology was also found in the exposed database.
Wednesday's report said researchers found the database through an Internet-mapping project that scanned ports of known IP blocks for vulnerabilities.
" The team discovered that huge portions of BioStar 2's database are unprotected and largely unencrypted, "the researchers wrote. "The company uses an Elasticsearch database, which is not ordinarily designed for URL use. However, we were able to access it through a browser and manipulate the URL search criteria into exposing huge amounts of data."
In addition storing the information in a world-readable database, the vpnMentor researchers said, Suprema also allowed records to be added, deleted, or modified. That left open the possibility that records were added to allow unauthorized people to access sensitive sites. It also opens the door to identity theft, phishing attacks, blackmail, and extortion.
The vpnMentor researchers said they discovered the exposed database on August 5 and privately reported the finding two days later. The data seemed secured until Tuesday, six days later. Suprema representatives didn't respond to a request for comment on this story.