Biometrics platform used by UK police stored millions of unhashed fingerprints on unsecured database

Researchers have discovered a 23GB database containing “almost every kind of sensitive data available”

An unencrypted Elasticsearch database containing millions of fingerprints, facial recognition information, unencrypted usernames and passwords, and personal information on employees has been discovered by researchers.

The database belongs to Biostar 2, a biometric security platform recently integrated into AEOS, an access control system used by the UK Metropolitan Police. In total AEOS is used by over 5,700 organisations across 83 countries, including large multinational corporations, small businesses, governments, banks and defence firms.

Suprema, the company who built Biostar 2, is considered one of the world’s leading security manufacturers and is the leading biometric access control provider in EMEA. Biostar 2 enables admins to control both physical security and application security from a single pane of glass.

Researchers working for VPN review website vpnMentor discovered the unencrypted database after staging a huge web-mapping project that scanned ports in the company’s web system. The researchers found familiar IP blocks that gave them visibility onto parts of the company’s system, revealing the unprotected database.

It is unclear which of the platform’s 1.5 million installations have been affected by the leak, although the number of those affected could be in the tens of millions, the researchers said.

“Largely uncooperative”

The researchers expressed frustration over the time it took for Biostar 2 to close the breach once they alerted the company to their findings on 5th August. After failing to contact Biostar 2 via email, two days later they called the German branch who said they “didn’t speak to vpnMentor” before hanging up.

The researchers then spoke to a “more cooperative” French branch who took measures to close the breach. The breach was closed on 13 August, over a week after Biostar 2 was first alerted to it.

When the researchers analysed the data they discovered it contained ‘almost every kind of sensitive data available’ and enough to support a wide range of criminal activities, including account takeovers, robbery, identity theft and fraud, and blackmail and extortion.

In total the unsecured database included:

• Access to client admin panels, dashboards, back end controls, and permissions 
• Fingerprint data 
• Facial recognition information and images of users
• Unencrypted usernames, passwords, and user IDs
• Records of entry and exit to secure areas
• Employee records including start dates
• Employee security levels and clearances
• Personal details, including employee home address and emails
• Businesses’ employee structures and hierarchies
• Mobile device and OS information

The passwords were also stored in plain text. It is basic cyber security practice to scramble passwords into an unreadable format – a process known as hashing – in case they are exposed deliberately or accidentally. The researchers also expressed frustration at the number of ‘unsecure’ passwords used by Biostar 2 customers, such as “password” and “abcd1234”.

In addition, Biostar 2 was failing to hash fingerprint and facial recognition data, instead saving peoples’ actual fingerprints that could be easily duplicated by cybercriminals. Unlike passwords, biometric data can’t be changed and can be downloaded and saved for later attacks.

“The use of biometric security like fingerprints is a recent development. As such, the full potential danger in having your fingerprints stolen is still unknown,” the researchers said.

“Most fingerprint scanners on consumer goods are unencrypted, so when a hacker develops technology to replicate your fingerprint, they will gain access to all the private information such as messages, photos, and payment methods stored on your device.”

The researchers advise Biostar 2 clients to change dashboard passwords immediately and instruct all staff to change personal passwords.