Security by Design: Lessons from the BioStar 2 Breach
Earlier this month, researchers working with VPNMentor identified and exposed a massive data breach in BioStar 2’s biometric security platform. This breach was discovered by a research team of ethical hackers, who accessed the company’s Elasticsearch database via browser, though it is not designed for URLs, and manipulated the search criteria to reveal masses of unencrypted data. This breach left 27.8 million records, or 23 gigabytes of data, vulnerable. This data included client admin panels and dashboards, unencrypted usernames and passwords, employees’ personal details and, critically, biometric information including fingerprint data and facial recognition information, alongside images of users.
BioStar 2 is a web-based biometrics lock system, enabling the centralisation of access controls for clients looking to secure their facilities. The platform is owned by Suprema, a South Korea-based security manufacturer which is ranked in the top 50 security manufacturers globally and possesses the primary market share of biometric access control in the EMEA region.
Given Suprema’s dominant market position and the massive scale of its security management responsibilities for sites and facilities requiring access barriers for those not given appropriate clearance, this data breach makes for an enormous potential threat. Hackers, having gained access to Suprema’s database, would be capable of editing users’ profiles to include their own information or simply adding profiles and effectively grant themselves access to these secure facilities. Suprema’s clients stand to make great losses in the wake of such security failures.
Those affected also include the 5,700 users of another access control system called AEOS, into which Suprema had integrated its BioStar platform. This system is used by organisations and entities such as banks, defence contractors and the UK Metropolitan Police. Having access to admin profiles of clients such as these would make it possible for malicious agents to access some of the most heavily guarded buildings across the nation. The control, which such access could well afford a hacker, over those digital systems that now underpin essential services would lead to disruption on an unparalleled scale. Armed with the masses of data stored in the BioStar 2 platform, such an agent could commit a cyberattack commensurate to a national security threat.
The major security risk represented here is equalled only by the privacy threat posed. The dangers faced on the national level recur on the individual level: it is not only those facilities and sites which have been revealed to be vulnerable. Employees, too, face potential damage that could follow them for the rest of their lives. In the report published relating the details of the breach, VPNMentor assert that “the platform has over 1.5 million worldwide installations, and all of these could be vulnerable to this leak. The total number of people affected could be in the tens of millions” – making this a privacy concern of remarkable scale. Personal details in BioStar 2’s leaked information included employment records, home addresses and email addresses. The importance of these details, however, pale in comparison next to the threat posed by the compromising of biometric information.
Once biometric information has been stolen, it cannot be changed. The use of biometric scanning technology is relatively recent development and, as such, the extent of biometric data theft’s implications cannot yet be fully appreciated. However, identity theft and fraud alongside blackmail and extortion have emerged as the primary potential consequences of such theft. The researchers who discovered the breach noted in their report that “most fingerprint scanners on consumer goods are unencrypted, so when a hacker develops technology to replicate your fingerprint, they will gain access to all the private information such as messages, photos, and payment methods stored on your device.”
The cybersecurity ecosystem has made these consumer records and the personally identifiable information they contain valuable commodities. They constitute the basis of a thriving market on the dark web, in which consumers’ credentials and identities can be leveraged to take over online accounts, commit identity fraud and blackmail those individuals targeted – to name but a few criminal possibilities. A breach of this nature and scale is unprecedented and its implications unpredictable.
Yet, the fact remains that businesses are simply not spending enough on cybersecurity, putting not only their enterprise’s operations at risk but, critically, their employees’ and customers’ data too. In Hiscox’s Cyber Readiness Report, it was found that the UK businesses of all size had the lowest cybersecurity budgets across the seven countries surveyed, with an average budget of $900,000, or £740,000, compared to the group average of $1.46 million, or £1.2 million. The government’s Cyber Governance Health Check also found that just 16% of businesses’ boards have a comprehensive understanding of cyber-security threats. This is in contrast to 89% of businesses having rated their board’s understanding of the impact on reputation of cyber threats as comprehensive. These statistics do not align and reveal a critical fact about current approaches to cybersecurity: businesses do not yet fully appreciate or, worse and more likely, care about the risks to which they are exposing their customers and employees alike. Businesses are prioritising profit over personal data, which, once compromised, can irrevocably change lives.
Addressing the issues they had identified, the researchers outlined some steps that the BioStar developers could have taken to fortify the database’s security measures. They suggested that their servers should be better protected and proper access rules for databases should be instated. That the system was left open to the Internet was a major flaw, and lesson for other developers. The researchers further argued for the use of hash functions, rather than actual images of fingerprints which can be replicated and used against the individual and/or their employer. Hash functions would work to convert the biometric data collected into arbitrary values which hackers could not reverse-engineer. Any subsequent breach would not, then, provide hackers with access to customers’ and employees’ biometric data.
Given biometric data’s unalterable nature, which means that the impacts of its loss to malicious agents are lifelong, and its vulnerability in the hands of companies ill-equipped to protect it, we must look to other solutions for identity verification and authentication challenges. The technological advances of the past few years have proliferated at such a rate that regulators and developers of standards and frameworks have been left playing catch-up. In light of the growing reliance on biometrics in the absence of thorough data impact assessments, the BioStar breach underscores the need for security by design; software must be built with security in mind, such that vulnerabilities are anticipated, and risk is minimised.
In order to enable such foresight, companies controlling and processing data should leverage predictive threat intelligence technologies, to facilitate a proactive approach to risk mitigation. Predictive threat intelligence harnesses data from previously identified vulnerabilities or breaches coupled with AI to anticipate threat vectors. AI examines the metadata associated with the company’s digital traffic to identify anomalous behavioural patterns which suggest risk. For example, it may flag up an employee’s messages coming from an unknown device as an indicator of a compromised or hacked device.
Such technology solutions are vital to the security and proper data-handling conduct of businesses in the 21st century. However, the buck does not stop here. Security teams must include managers and policy professionals working to development and implement a robust set of policies and procedures, including data protection impact assessments, to tackle those threats identified by the analysts and AI systems.
Good practices like security by design and predictive threat intelligence, enforced by well-equipped teams of security professionals, will cultivate a fuller understanding of the potential threat vectors. They will also go a long way toward developing the necessary measures to be implemented across the digital ecosystem to mitigate those risks which Suprema’s carelessness has highlighted. Cyber adversaries are using automation and the cloud to scale and implement their attacks faster than ever before. However, as multiple studies have demonstrated, companies are not scaling their cybersecurity budgets accordingly. If there is anything positive to be found in the wake of the BioStar 2 breach, it is that this may well be the cybersecurity wake-up call we need.