What does the Biostar 2 scandal mean for security companies that use biometric security?

Suprema’s Biostar 2 is a biometric lock system that is widely used and integrated into systems used by companies and organizations around the world. Of particular interest, the AEOS access control system which uses the Biostar 2 system as it is used by more than 5700 organizations across 83 countries including the Metropolitan Police.

It was recently discovered that over 1 million fingerprint biometrics, facial data, log entries, admin accounts, passwords, and other sensitive information were accessed by hackers through a low-encryption database kept by the company. This information was stored in plain text and constitutes some of the most critical data sought after by perpetrators of fraud.

The hack was carried out by researchers from vpnmentor who brought it to the Suprema’s attention. The effects of this discovery could be long-reaching as a little-discussed problem of biometrics in security is brought to the forefront.

Biometric data is not like a password, you cannot change it. Once your data has been stolen, you become vulnerable to hacking as long as you use biometric systems.

Security Analyst at Frost & Sullivan, Danielle VanZandt says of the breach, “While this may be one of the first data breaches to target biometric data, it most certainly will not be the last. The sheer scale of BioStar 2, unfortunately, made the system one of the first to reveal the vulnerabilities of biometric access control solutions; however, this will not stop the exponential growth and adoption rates of biometric solutions. Fingerprint and facial recognition remain the most in-demand biometrics out there for physical access solutions across various industries. This breach will not scare away potential end-user purchases; rather, it will serve to inform them of the types of security protocols a vendor must have in place before a potential end user finalizes any new system purchase. Vendors must be ready to answer end-user questions about data access, precisely how their solution stores biometric data, and what encryption protocols are in place.”

She goes on to add that “End users are quickly assessing their own risk profiles and the best solutions to protect their organization. Any biometric security vendor unwilling or unable to best address an end-users’ risk concerns and data protection questions will quickly see their stature in this high-growth market diminish.

If you are a security company that regularly uses biometrics or if you are a security buyer, it is important that review your current supplier’s data protection protocols and ensure that you are not vulnerable to this kind of attack.

If you use AEOS or Biostar 2, we recommend contacting Suprema directly.