A major security breach raises a key question: what happens when your biometric data is exfiltrated from a system?

It’s no secret that password security is often terrible. Good passwords – ones that are long and include a mix of lower case, upper case, numbers, and special characters – are hard to remember unless you use a password manager, which few seem to do. As a result, people tend to choose easy-to-guess passwords like names or dates of birth, or even absurd ones like “password” and “1234”. Attempts to wean people off such passwords continue to fail, and as a result many companies and organizations are trying to avoid the problem by getting rid of passwords completely. The alternative, to use biometrics like fingerprints, iris scans and facial recognition, is well developed, and increasingly widespread. One of the leading companies developing biometric technologies for access control is Suprema:

Suprema’s extensive range of portfolio includes biometric access control systems, time & attendance solutions, fingerprint live scanners, mobile authentication solutions and embedded fingerprint modules. Suprema has established itself as a premium global brand in physical security industry and has worldwide sales network in over 130 countries. Suprema has no.1 market share in biometric access control in EMEA region and named to the world’s top 50 security manufacturer.

According to the company’s Web site, there are 1.5 million of its systems installed worldwide, used by over a billion people. Suprema’s position in this sector makes the following news about a large-scale data breach in its main product, BioStar 2, particularly concerning: “In a search last week, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.” A message on Suprema’s home page states: “this incident relates to a limited number of BioStar 2 Cloud API users. The vast majority of Suprema customers do not use BioStar 2 Cloud API in their access control and time management solutions.” That may be true, but the researchers’ discussion of what was exposed makes disturbing reading:

Our team was able to access over 27.8 million records, a total of 23 gigabytes of data, which included the following information:

Access to client admin panels, dashboards, back end controls, and permissions
Fingerprint data
Facial recognition information and images of users
Unencrypted usernames, passwords, and user IDs
Records of entry and exit to secure areas
Employee records including start dates
Employee security levels and clearances
Personal details, including employee home address and emails
Businesses’ employee structures and hierarchies
Mobile device and OS information

The fact that passwords – including those for accounts with administrator rights – were stored by a security company in an unencrypted form is extraordinary. As the researchers note, anyone who had found this database could use those admin passwords to take over a high-level BioStar 2 account with all user permissions and full clearances, and make changes to the security settings in an entire network. They could create new accounts, complete with fingerprints and facial scans, and give themselves access to secure areas within buildings. Similarly, they could change the fingerprints on accounts with security clearance to grant anyone the power to enter these areas.

Since the admin account controls activity logs, criminals could delete or alter the data to hide their activities. In other words, access to these passwords allows anyone to enter any part of a supposedly secure building invisibly, leaving no trace of their presence. This would allow the theft of valuable objects that are held on the premises. More seriously, perhaps, it would allow physical access to computer departments, which might make further access to networks and sensitive data easier.

The problems don’t end there. The list of highly-personal information such as employment records, email addresses, and home addresses exposed on the database would make both identify fraud and phishing a real risk. It would also identify the key employees within companies using the BioStar 2 system. That would make them more vulnerable to threats of blackmail by criminals. But perhaps the most serious problem is the following one noted by the researchers:

The use of biometric security like fingerprints is a recent development. As such, the full potential danger in having your fingerprints stolen is still unknown.

However, the important thing to remember is that once it’s stolen, unlike passwords, your fingerprint can’t be changed.

This makes fingerprint data theft even more concerning. Fingerprints are replacing typed passwords on many consumer items, like phones. Most fingerprint scanners on consumer goods are unencrypted, so when a hacker develops technology to replicate your fingerprint, they will gain access to all the private information such as messages, photos, and payment methods stored on your device.

According to the researchers who discovered this exposed database, instead of storing a hash of the fingerprint – a mathematically scrambled version that can’t be reverse-engineered – Suprema saved people’s actual fingerprints in digital form, which can therefore be copied and used directly for malicious purposes. There are already many ways of creating fake fingerprints good enough to fool biometric systems. If the full fingerprint data is available, such fake versions stand a good chance of defeating even the best biometric security.

The potential exfiltration of so many fingerprints in the case of the BioStar 2 system makes answering the question “what happens when someone has a copy of your biometric data?” even more urgent. As people have been pointing out for years, you can’t change your biometrics, short of surgery. Or, as Suprema says on its Web site: “Biometrics is the key that defines us.” Given that central, immutable fact, maybe it’s time to demand that biometrics should only be used when absolutely necessary – not as a matter of routine. And that if they are used, they must – by law – be protected with the highest levels of security available. Meanwhile, passwords, not biometrics, should be used in most situations requiring a check before granting access. At least they can be changed if a database holding them is compromised. And instead of pushing people to choose and remember better passwords – a forlorn hope – we should instead help them install and use password managers.

Featured image by Suprema.