Do you employ a biometric security solution at your company to control building access?
If your solution employs BioStar 2 technology (which is often integrated into third-party systems such as Nedap's AEOS access control system), you have cause for concern. Recently, researchers from vpnMentor announced that they uncovered a massive database.
It is about 23 gigabytes in size and houses 27.8 million records including fingerprints and facial recognition images. These are mostly un-encrypted and publicly available. In addition to the above, the exposed data also included employee names, usernames and passwords.
Worse, using the information contained in the database, the researchers who made the discovery were able to trace the precise movement of individual employees throughout physical facilities. That along with their security clearance levels and their home and email addresses. This kind of exposure is catastrophic. It allows hackers an unprecedented view into the inner workings of any exposed company, and it renders the security infrastructure of any building using BioStar 2's technology completely useless.
Worst of all, Suprema, the company that makes BioStar 2, has been unusually uncooperative and unresponsive about the matter. They fixed the issue with the exposed database eight days after it was reported by vpnMentor.
A few days after that, made a terse formal reply, which reads, in part, as follows:
"Suprema is aware of the reports in the press regarding its BioStar 2 platform and the alleged unauthorized access to data involving vpnMentor. The Company takes any report of this nature very seriously. It is investigating the allegations in the press reports and will liaise with any appropriate third parties and/or individuals as necessary."
If your firm utilizes any security solution built around BioStar 2, at a minimum, you should immediately change your password and the passwords associated with all of your employees.