Unencrypted biometrics reveal massive risk

Security researchers gained access to more than 27.8 million records, including fingerprints, facial recognition data, usernames and passwords, in the mostly unencrypted and unhashed Biostar 2 database. Biostar 2 is a web-based biometrics locking system used for physical security when granting access to buildings. The breach in effect provides hackers with access to user accounts and permissions at facilities using BioStar 2, which currently has 1.5 million installations worldwide.

When Noam Rotem and Ran Locar, researches with vpnmentor, were scanning ports for familiar IP blocks they found Biostar 2’s database unprotected. The security researchers were looking for security weaknesses that could lead to a future data breach.

The Biostar 2 data included biometrics, such as fingerprints, facial recognition and photos of users. Other sensitive data was available including usernames and passwords, logs of facility access, and security clearances. The researchers could see real-time information of users accessing facilities and were able to change the existing data. They also were able to access client admin dashboards and other controls and permissions.   While the Biostar 2 breach is not record breaking in size or scope, it reveals a massive risk with biometric data. Unencrypted and cryptographically unhashed biometric data can be changed or it can be copied for other identity theft purposes. For example, a user’s fingerprint data could be replaced with another set of fingerprints, granting access to a malicious actor. Unfortunately, unlike a password, fingerprints cannot be changed. In both situations it is nearly impossible for the true individual to prove their identity again, meaning the effects can be lasting.

The researchers wrote up their findings in a paper, published by vpnmentor. “Instead of saving a hash of the fingerprint (that can’t be reversed-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes,” the researchers stated in the paper.

“The recent breach in the Biostar 2 system, with over a million biometric and password credentials open on the internet, is a lesson that everyone should take note of,” says Thorbjörn Sjövold, Head of Research at Specops Software. “Stored in the wrong way it doesn’t matter what type of credentials you are using. It’s just harder to reset your fingerprint once it has been breached.”

The researchers are quick to point out that this a very common scenario, particularly when a company uses a third-party service that doesn’t follow necessary security practices. Thorbjörn continues: “Even if your systems are secure and monitored, integrating with external systems can potentially result in leaked information that can threaten your organization.”

(Last updated on October 30, 2023)

Back to Blog

Related Articles

  • Credential stuffing – the password breach aftermath

    RIP Passwords – the 2017 Data Breach Industry Forecast by Experian anticipates your demise. Until then, experts are predicting “aftershock” breaches. In 2016, there were 1,093 security incidents involving loss of sensitive data, and three billion credentials stolen worldwide. The biggest contributor being Yahoo’s headline dominating confirmation of a 2014 breach, where at least 500…

    Read More