A biometric database powered by more than 5700 companies worldwide was discovered online, unprotected, by a cybersecurity research team. This database being thus accessible to everyone, unencrypted passwords, facial recognition data and more than one million fingerprints could be consulted and modified.
The system in question, named BioStar 2, belongs to the Suprema security company. Used in particular by the banks and the police in the United Kingdom, it makes it possible to reserve the access to buildings to the authorized persons.
Researcher Noam Rotem, of the vpnMentor website, explained to The Guardian that the flaw allowed him to modify existing biometric data or to add new ones. For example, he could have registered as a user for one of Suprema’s client companies or replaced the fingerprint of someone authorized by his own.
The vpnMentor site confirmed to Radio-Canada that at least one Canadian company, the NexGen Technologies technical services firm, appeared in the database. More organizations could have been affected, but the research team did not record all of the information presented.
Noam Rotem says he has repeatedly tried to advise Suprema of his discovery, without success. That’s why he decided to make the information public. The researcher argues that this leak could have important consequences because, unlike a password, the biometric data can not be modified.
The security firm then confirmed to The Guardian that the flaw was resolved Wednesday and that it would inform its customers if its information was compromised.