Biostar 2: Biometric Data Exposed

Biostar 2 is a web-based access control and time/attendance management system that is used worldwide by a number of large organisations to secure and centrally manage access to commercial buildings via the use of biometrics (i.e. Fingerprint and Face Recognition).

The recently discovered security flaw has unveiled a large store of unsecured biometric data, credentials and personal information, totalling in over 27.8 million records being submitted to a publicly accessible online database. It is currently unknown whether any of this information has been accessed or downloaded by any malicious actors, only time will tell.

The implications of an attack involving such data could be devastating as it would allow a malicious actor to log in to the system, create or modify users and manipulate access control permissions, giving them the potential to be able to access any building secured with Biostar 2.

Additionally, malicious actors could use the exposed personal information to commit identity theft and/or related offences, with the addition of biometric data, these offences can be taken to a new level.

Common advice in this situation would usually be to change the credentials and for any other accounts that may share credentials with the account in question. However, when it comes to this specific breach, the most distressing part is that biometric data such as fingerprints cannot be changed like a username and password can be. Once your biometric data has been exposed, it is exposed forever, allowing it to be used by malicious actors to access any systems secured using the same biometric credentials as you.

Thankfully, the vulnerability has since been fixed, which is especially relieving as it was announced that the Biostar 2 system is due to be integrated into AEOS (another access control system currently in use by the Metropolitan Police).