A biometric database powered by more than 5700 companies worldwide was discovered online, unprotected, by a cybersecurity research team. This database being thus accessible to everyone, unencrypted passwords, facial recognition data and more than one million fingerprints could be consulted and modified.
The system in question, named BioStar 2, belongs to the Suprema security company. Used in particular by the banks and the police in the United Kingdom, it makes it possible to reserve the access to buildings to the authorized persons.
Researcher Noam Rotem, of the vpnMentor website, explained to The Guardian that the flaw allowed him to modify existing biometric data or to add new ones. For example, he could have registered as a user for one of Suprema’s client companies or replaced the fingerprint of someone authorized by his own.
The vpnMentor site confirmed to Radio-Canada that at least one Canadian company, the NexGen Technologies technical services firm, appeared in the database. More organizations could have been affected, but the research team did not record all of the information presented.
Noam Rotem says he has repeatedly tried to advise Suprema of his discovery, without success. That’s why he decided to make the information public. The researcher argues that this leak could have important consequences because, unlike a password, the biometric data can not be modified.
The security firm then confirmed to The Guardian that the flaw was resolved Wednesday and that it would inform its customers if its information was compromised.
Based out of Detroit, Tonia Nissen has been writing for Optic Flux since 2017 and is presently our Managing Editor. An experienced freelance health writer, Tonia obtained an English BA from the University of Detroit, then spent over 7 years working in various markets as a television reporter, producer and news videographer. Tonia is particularly interested in scientific innovation, climate technology, and the marine environment.