Researchers said they have found a publicly accessible database containing almost 28 million records—including plain-text passwords, face photos, and personal information—that was used to secure buildings around the world.
Researchers from vpnMentor reported on Wednesday that the database was used by the Web-based Biostar 2 security system sold by South Korea-based Suprema. Biostar uses facial recognition and fingerprint scans to identify people authorized to enter warehouses, municipal buildings, businesses, and banks. vpnMentor said the system has more than 1.5 million installations in a wide range of countries including the US, the UK, Indonesia, India, and Sri Lanka.
According to vpnMentor, the 23-gigabyte database contained more than 27.8 million records used by Biostar to secure customer facilities. The data included usernames, passwords and user IDs in plaintext, building access logs, employee records including start dates, personal details, mobile device data, and face images.
“Ridiculously simple passwords”
“One of the more surprising aspects of this leak was how unsecured the account passwords we accessed were,” vpnMentor Internet Privacy Researchers Noam Rotem and Ran Locar wrote. “Plenty of accounts had ridiculously simple passwords, like ‘Password’ and ‘abcd1234’. It’s difficult to imagine that people still don’t realize how easy this makes it for a hacker to access their account.”
The researchers said the data also included more than 1 million records containing actual fingerprint scans. Wednesday’s report provided no data to support the claim. TechCrunch security reporter Zack Whittaker said on Twitter that his investigation of several scrambled hashes was inconclusive.
Security experts widely agree that the best way to store or transmit biometric data is by hashing it first to prevent third parties from obtaining it in the event of a breach. If it turns out the database included more than 1 million actual fingerprints, that would be a serious breach because it would expose the people the prints belonged to, and the companies the people worked for, to fraud. Fingerprints, unlike passwords, can’t be changed.
Some of the organizations whose information was public included:
- Union Member House – Coworking space and social club with 7,000 users.
- Lits Link – Software development consultancy.
- Phoenix Medical – Medical products manufacturer.
- Uptown – Jakarta-based coworking space with 123 users.
India and Sri Lanka
- Power World Gyms – High-class gym franchise with branches across both countries. We accessed 113,796 user records and their fingerprints.
- Associated Polymer Resources – Plastics recycling specialists.
- Tile Mountain – Home decor and DIY supplier.
- Farla Medical – Medical supply store.
- Global Village – An annual cultural festival, with access to 15,000 fingerprints.
- IFFCO – Consumer food products group.
- Euro Park – Car parking space developer with sites across Finland.
- Ostim – Industrial zone construction developer.
- Inspired.Lab – Coworking and design space in Chiyoda City, Tokyo.
- Adecco Staffing – We found approximately 2,000 fingerprints connected to the staffing and human resources giant.
- Identbase – Data belonging to this supplier of commercial ID and access card printing technology was also found in the exposed database.
Wednesday’s report said the researchers found the database through an Internet-mapping project that scanned ports of familiar IP blocks for vulnerabilities.
“The team discovered that huge parts of BioStar 2’s database are unprotected and mostly unencrypted,” the researchers wrote. “The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing huge amounts of data.”
Besides storing the information in a world-readable database, the vpnMentor researchers said, Suprema also allowed records to be added, deleted, or modified. That left open the possibility that records were added to allow unauthorized people to access sensitive sites. It also opens the door to identity theft, phishing attacks, blackmail, and extortion.
The vpnMentor researchers said they discovered the exposed database on August 5 and privately reported the finding two days later. The data wasn’t secured until Tuesday, six days later. Representatives of Suprema didn’t respond to a request for comment on this story.