White hat hackers expose huge biometric security breach

Privacy researchers at vpnmentor have uncovered a huge data breach in security platform Biostar 2, a centralised biometric access control system used by UK police forces and major banks.

  4 Be the first to comment

White hat hackers expose huge biometric security breach

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Biostar 2 uses facial recognition and fingerprinting technology to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs.

Vpnmentor says it was able to access over 27.8 million records, a total of 23 gigabytes of data, on a publicly accessible database

The data leaked includes detailed personal information of employees and unencrypted usernames and passwords as well as access to over 1 million fingerprint records, as well as facial recognition information.

Researchers at vpnmentor say the breach would enable hackers to gain complete access to admin accounts on Biostar 2, enabling them to change user accounts and create their own accounts. Furthermore, hackers can change the fingerprints of existing accounts to their own and hijack a user account to access restricted areas undetected.

Says the firm: "Hackers and other criminals could potentially create libraries of fingerprints to be used any time they want to enter somewhere without being detected."

Biostar 2 is built by Suprema, which recently partnered with Nedap to integrate the app into their AEOS access control system.

AEOS is used by over 5700 organizations in 83 countries, including some of the biggest multinational businesses, many small local businesses, governments, banks, and even the UK Metropolitan Police.

The researchers say they made multiple unsuccessful attempts to contact Suprema before taking the paper to the Guardian broadsheet late last week. Early Wednesday morning the vulnerability was closed.

Sponsored [Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates

Related Company

Keywords

Comments: (0)

[Upcoming Webinar] Next Gen Payment Processing: How banks can embrace the futureFinextra Promoted[Upcoming Webinar] Next Gen Payment Processing: How banks can embrace the future