Our team was able to access over 27.8 million records, a total of 23 gigabytes of data, which included the following information:
- Access to client admin panels, dashboards, back end controls, and permissions
- Fingerprint data
- Facial recognition information and images of users
- Unencrypted usernames, passwords, and user IDs
- Records of entry and exit to secure areas
- Employee records including start dates
- Employee security levels and clearances
- Personal details, including employee home address and emails
- Businesses’ employee structures and hierarchies
- Mobile device and OS information
One of the more surprising aspects of this leak was how unsecured the account passwords we accessed were. Plenty of accounts had ridiculously simple passwords, like “Password” and “abcd1234”. It’s difficult to imagine that people still don’t realize how easy this makes it for a hacker to access their account.
Commence anecdote: When evaluating which of 2 positions to accept, I settled on {CompanyX} because of the CTO, who seemed like an excellent person to learn from. Something like 20 years in leadership & a linux chops that I'll probably always be envious of.
By the time, I'd accepted the offer & taken 2-weeks to get settled into a new town, he'd left the company (quite the surprising red-flag for me)... but was still monitoring Github as part of the changing of the guard.
The first issues I filed at {CompanyX} was "we are sending passwords in cleartext(!!!)".
It wasn't 5 minutes before CTO-LINUX-GURU shouted me down. "IT'S HTTPS, NOT CLEARTEXT!". His message was sharp, and the obvious subtext was that I was dumb.
Well, if you say so... I let it go, and kept my head down.
Months later, we had to reset a bunch of user accounts because those passwords were being logged (in cleartext) to emails, and also saved to error logs when users had a difficulty logging in.
After 8 months with the company, I'd finally had enough. 2 months after I left, the friends I made there called me to tell me they were looking for work. The company had run out of money, and laid off a bunch of engineers.
Biometrics as an authentication factor suffers from a "weakest-link" problem. The strength of authentication of _every_ system using biometric factors can only be as strong as the weakest, least secure implementation out of those systems.
Passwords suffer from the same "weakest-link" problem to a degree, but at least we can choose to have more than 1 or 2 and even more than 10 different passwords. Also, they can be changed after a leak. In biometric authentication, once your raw biometric data has been leaked, you are basically left to rely on the strength of the PAD (Presentation Attack Detection) and the (lack of) propagation of the leaked information.
I honestly feel that the best we as an industry can do about it is to start referring to biometrics as "amputationware". As often and widely as possible.
Until the public perception about them changes, vendors will keep pushing the scheme ever further as a silver bullet.
>"instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes."
ffs, so anyone who's watched myth-busters can literally re-create the fingerprints of millions of people to bypass security or plant evidence.. If there is any justice in the world, Suprema should be liquidated to compensate the millions of people who can no longer use their fingers as a security check.
>"instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes."
It's almost impossible to use hashes for fingerprints with COTS scanners. You use templates which in most cases, if left in the open, can be used to reverse engineer and get a fingerprint to match that template. Though it does not have to be the original one.
Suprema said they will take the immediate action. The only action of any value now that the data is already exposed is to fire the CEO and everyone in line below to the devs who touched the unencrypted data.
If this were just a regular company, the failure could be excused a little. But an authentication management company that doesn’t have security controls in place shouldn’t be in business.
They really should be sued out of existence and nothing less... perhaps it sounds harsh, but unfortunately companies have to be scared into taking security seriously, otherwise they will just continue to cut corners to save money or out of simple incompetence (which again could have been prevented by investing in a proper security audit)
We used Suprema readers and they were absolutely terrible. They would match the wrong fingerprint with regularity (~50 people trial we had a wrong match on day 2 and we averaged ~2 a working day after that)
Suprema blamed us for not using a high enough quality for enrolment and also for not doing the enrolment properly.
We used their enrolment method, a very specific way of placing the finger on the enrolment reader, and this had the effect of making it easy to reach high enrolment quality, i regularly hit 90, 95 out of 100 but you needed to be an expert at enrolling.
Effectively, it took about 10 attempts per finger and we'd do 2 fingers minimum. Even after that we had the odd wrong match.
Our client had 500 people to enrol, with a further 4000 to 6000 [sic.] to come in the next two years and they decided to can the whole thing and blame us for the whole fiasco. Even when we had suggested they go with the more expensive readers (Ievo) and made it clear that we were using these cheaper readers for them.
> The security researchers scan ports looking for familiar IP blocks, and then use these blocks to find holes in companies’ systems
> They were able to search the database by manipulating the URL search criteria in Elasticsearch
Am I going dumb or is this mumbo-jumbo?
It's both funny and baffling how publications keep writing nonsense instead of saying “we are unqualified to explain the workings.” But then, I've seen similar behavior from people apparently unable to admit they don't know something. Which tendency can be outright harmful sometimes.
No problem, navigate to your bank's webpage, click the biometrics login reset link, enter your email, open the email and click the verification link. You will then be prompted to choose a new body to associate with the account. Your old body will be promptly picked up by a certified mortician. Leaving a tip is optional.
Yeah I constantly have to go around making a funny face nowadays. The trick to a safe new face is to take 4 random words (for example: horse, clown, sad, elf-ears) and create your new face by imitatating that 24/7. Or you use a face manager (or make-up artist as it is called in non sec circles) so you just have to remember one face.
This is why I love the expression; (first heard, either here or on Slashdot)
Fingerprints are your login, not your password.
One thing I worry about is if/when the government(s) start using the same algorithms that industry is using to generate $HASH in all these biometric scanners. Some ugly version of the world where the local police department can search FBI+Apple+Google Fingerprint DB.
Another business in the tech security business that has no business being in business.
See the repeated use of the word business? It’s because until companies who mess up like this (I’m looking also at you Equifax and TalkTalk) are forced out of the market then standards will remain lax.
The title could be improved. There was no major data breach, unless you consider the researchers that discovered the vulnerability to be perpetrators of a data breach as a result of their research. That is not normally how security research is interpreted. They found a vulnerability, not a breach.
The title would be less like click-bait if it simply said: Vulnerability Found in popular Biometrics System allows access to gigabytes of data including unencrypted passwords.
> “If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn said.
I'm still surprised how the goto reaction on this kind of incidents is ignoring the researcher and than claiming nothing happend.
There should be a government agency to report this kind of findings to and those cases getting handled like the real world equivalent of a toxic spill.
I'm going to make a "PR boilerplate as a Service"... It will just be a service that replies "Thank you for asking about $PROBLEM. Our customer's security is our number 1 priority, and we will do a thorough review of our policies to make sure $PROBLEM doesn't happen again.".
Is there a list of all countries/companies using their software? My country uses those fucking stupid finger-printed ID's. I'd very much like to know whether they use Suprema's system.
I did some poking after reading this and there's a KB app located at http://kb.supremainc.com/home/doku.php that is vulnerable to CVE-2017-18123 as well. Rated 9.3 severity.
If you collect the data, some of it will be exposed, that's a very real risk. Especially in cases like this with biometrical data that can't be changed. I wonder if something will change after a few big leaks in this sector.
Yeah, having a immutable input key has always seemed real scary to me. Text/numbers has always seemed the best to me but if you really want something quicker and more natural for humans to do than writing, why not go for something like a pose or hand gesture. That can be easily changed, though I am not sure how many different versions there are of it. Spell out something in sign language?
I assume if your biometrics information has been stolen, you don't want to be in any compatible/similar biometric authentication system ever again because of the risk.
I'm amazed how few people have cottoned onto the fact that if you wanted to steal a copy of someone's fingerprint, all you have to do is wait for them to go to their favourite restaurant and steal their empty glass.
Most people wouldn't even realise that the glass wasn't the target...
Maybe I'm being naive but why don't they store hashes of the biometrics on the server instead? Then just change the hashing algorithm if there's a compromise?
The VPNMentor krewe carried out responsible disclosure according to the upstream blog post. That's good.
Whatever happened to Defense in Depth?
All secrets (yes, all secrets) eventually leak ... so
1. Perimeter security should be good.
2. The body of secrets behind any given perimeter should be small, so fewer secrets leak in case of a perimeter breach.
3. Breaches and leaks (data exfiltration) should be detectable, and actually detected.
4. Corrupting the body of secrets by inserting or changing them should be defended against rigorously.
5. The secrets themselves should have limited utility. Securely hashed passwords are a good example.
6. The secrets should have limited useful lifetime. Credit cards can be replaced, so they meet this criterion. Fingerprints... their useful lifetime is the same as the subject's lifetime; not so good.
Not even state actors with unlimited talent and funding (hi, NSA!) can prevent secrets from leaking. So why don't more secret-gathering organizations do steps 2-6, or at least try to do them?
This Suprema outfit has a lot of business in Europe. It seems likely they will be severely punished by GDPR enforcement.
[+] [-] e12e|6 years ago|reply
Quote :
Our team was able to access over 27.8 million records, a total of 23 gigabytes of data, which included the following information:
- Access to client admin panels, dashboards, back end controls, and permissions
- Fingerprint data
- Facial recognition information and images of users
- Unencrypted usernames, passwords, and user IDs
- Records of entry and exit to secure areas
- Employee records including start dates
- Employee security levels and clearances
- Personal details, including employee home address and emails
- Businesses’ employee structures and hierarchies
- Mobile device and OS information
One of the more surprising aspects of this leak was how unsecured the account passwords we accessed were. Plenty of accounts had ridiculously simple passwords, like “Password” and “abcd1234”. It’s difficult to imagine that people still don’t realize how easy this makes it for a hacker to access their account.
[+] [-] tossAfterUsing|6 years ago|reply
I am shocked... SHOCKED!
Actually, I'm not. Maybe, I should be?
Commence anecdote: When evaluating which of 2 positions to accept, I settled on {CompanyX} because of the CTO, who seemed like an excellent person to learn from. Something like 20 years in leadership & a linux chops that I'll probably always be envious of.
By the time, I'd accepted the offer & taken 2-weeks to get settled into a new town, he'd left the company (quite the surprising red-flag for me)... but was still monitoring Github as part of the changing of the guard.
The first issues I filed at {CompanyX} was "we are sending passwords in cleartext(!!!)".
It wasn't 5 minutes before CTO-LINUX-GURU shouted me down. "IT'S HTTPS, NOT CLEARTEXT!". His message was sharp, and the obvious subtext was that I was dumb.
Well, if you say so... I let it go, and kept my head down.
Months later, we had to reset a bunch of user accounts because those passwords were being logged (in cleartext) to emails, and also saved to error logs when users had a difficulty logging in.
After 8 months with the company, I'd finally had enough. 2 months after I left, the friends I made there called me to tell me they were looking for work. The company had run out of money, and laid off a bunch of engineers.
[+] [-] Phemist|6 years ago|reply
Passwords suffer from the same "weakest-link" problem to a degree, but at least we can choose to have more than 1 or 2 and even more than 10 different passwords. Also, they can be changed after a leak. In biometric authentication, once your raw biometric data has been leaked, you are basically left to rely on the strength of the PAD (Presentation Attack Detection) and the (lack of) propagation of the leaked information.
[+] [-] bostik|6 years ago|reply
Until the public perception about them changes, vendors will keep pushing the scheme ever further as a silver bullet.
[+] [-] cortic|6 years ago|reply
ffs, so anyone who's watched myth-busters can literally re-create the fingerprints of millions of people to bypass security or plant evidence.. If there is any justice in the world, Suprema should be liquidated to compensate the millions of people who can no longer use their fingers as a security check.
[+] [-] consp|6 years ago|reply
It's almost impossible to use hashes for fingerprints with COTS scanners. You use templates which in most cases, if left in the open, can be used to reverse engineer and get a fingerprint to match that template. Though it does not have to be the original one.
[+] [-] blunte|6 years ago|reply
If this were just a regular company, the failure could be excused a little. But an authentication management company that doesn’t have security controls in place shouldn’t be in business.
[+] [-] ivanhoe|6 years ago|reply
[+] [-] reallydontask|6 years ago|reply
Suprema blamed us for not using a high enough quality for enrolment and also for not doing the enrolment properly.
We used their enrolment method, a very specific way of placing the finger on the enrolment reader, and this had the effect of making it easy to reach high enrolment quality, i regularly hit 90, 95 out of 100 but you needed to be an expert at enrolling.
Effectively, it took about 10 attempts per finger and we'd do 2 fingers minimum. Even after that we had the odd wrong match.
Our client had 500 people to enrol, with a further 4000 to 6000 [sic.] to come in the next two years and they decided to can the whole thing and blame us for the whole fiasco. Even when we had suggested they go with the more expensive readers (Ievo) and made it clear that we were using these cheaper readers for them.
[+] [-] aasasd|6 years ago|reply
> They were able to search the database by manipulating the URL search criteria in Elasticsearch
Am I going dumb or is this mumbo-jumbo?
It's both funny and baffling how publications keep writing nonsense instead of saying “we are unqualified to explain the workings.” But then, I've seen similar behavior from people apparently unable to admit they don't know something. Which tendency can be outright harmful sometimes.
[+] [-] cm2187|6 years ago|reply
[+] [-] SubiculumCode|6 years ago|reply
[+] [-] Uhrheber|6 years ago|reply
[+] [-] olodus|6 years ago|reply
[+] [-] UI_at_80x24|6 years ago|reply
Fingerprints are your login, not your password.
One thing I worry about is if/when the government(s) start using the same algorithms that industry is using to generate $HASH in all these biometric scanners. Some ugly version of the world where the local police department can search FBI+Apple+Google Fingerprint DB.
[+] [-] jarym|6 years ago|reply
See the repeated use of the word business? It’s because until companies who mess up like this (I’m looking also at you Equifax and TalkTalk) are forced out of the market then standards will remain lax.
[+] [-] dustfinger|6 years ago|reply
The title would be less like click-bait if it simply said: Vulnerability Found in popular Biometrics System allows access to gigabytes of data including unencrypted passwords.
[+] [-] WhatsName|6 years ago|reply
I'm still surprised how the goto reaction on this kind of incidents is ignoring the researcher and than claiming nothing happend.
There should be a government agency to report this kind of findings to and those cases getting handled like the real world equivalent of a toxic spill.
[+] [-] netsharc|6 years ago|reply
[+] [-] AllegedAlec|6 years ago|reply
[+] [-] robin_reala|6 years ago|reply
[+] [-] zelon88|6 years ago|reply
[+] [-] buboard|6 years ago|reply
[+] [-] olodus|6 years ago|reply
[+] [-] cm2187|6 years ago|reply
[+] [-] xanipher|6 years ago|reply
[+] [-] olodus|6 years ago|reply
[+] [-] mannykannot|6 years ago|reply
[+] [-] stunt|6 years ago|reply
I assume if your biometrics information has been stolen, you don't want to be in any compatible/similar biometric authentication system ever again because of the risk.
[+] [-] philpem|6 years ago|reply
Most people wouldn't even realise that the glass wasn't the target...
[+] [-] insaider|6 years ago|reply
[+] [-] buboard|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] OliverJones|6 years ago|reply
Whatever happened to Defense in Depth?
All secrets (yes, all secrets) eventually leak ... so
1. Perimeter security should be good.
2. The body of secrets behind any given perimeter should be small, so fewer secrets leak in case of a perimeter breach.
3. Breaches and leaks (data exfiltration) should be detectable, and actually detected.
4. Corrupting the body of secrets by inserting or changing them should be defended against rigorously.
5. The secrets themselves should have limited utility. Securely hashed passwords are a good example.
6. The secrets should have limited useful lifetime. Credit cards can be replaced, so they meet this criterion. Fingerprints... their useful lifetime is the same as the subject's lifetime; not so good.
Not even state actors with unlimited talent and funding (hi, NSA!) can prevent secrets from leaking. So why don't more secret-gathering organizations do steps 2-6, or at least try to do them?
This Suprema outfit has a lot of business in Europe. It seems likely they will be severely punished by GDPR enforcement.
[+] [-] sieabahlpark|6 years ago|reply
[+] [-] peteretep|6 years ago|reply