Suprema Biometric Mass Leak Examined

Published Aug 19, 2019 11:45 AM

While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past week from Tom's Hardware to Business Insider and even the BBC.

free image3 2

But what happened? Inside this report, we:

  • Explain what was leaked and how it was leaked
  • Contrast which Suprema users are impacted and which are not
  • Examine a key false claim Suprema made about their cloud service
  • Explore the two fundamental issues - exposed buckets and logging - that led to this leak
  • Clarify claims made in media reports about the leak
  • Examine the risk to the fingerprint records 'stolen'
  • Consider the potential GDPR risks and fines involved
  • Review Suprema's size, revenue, market capitalization, and stock price drop

Researcher ****** - *********

***** ***** *** ****** ** ***** outlets *********** ******* *** **** *****, the ********** *** ******** ****** ** from*********: ******: **** ****** ** ********* Security ******** ********* ******** ** *****. *** ****** ********** **-****** ***** ***************** *** ******:

Executive *******

******* ***** ******** *** *******'* ******** Cloud ******* *** ******** ** ******* had ** ******* ***** **** ***** (aka '*******') ******* **** ** **** actions ** ***** **** ********* **** personal ***********, *********, *** *********** *********.

**** *** *** **** ******* / fixed ********* ** **** *** *********** and *** *******.

** ** *** ***** ** ****** else *** ******** ***** ******* ****** they ********* ***** ** ** **** were ******** ********** *** ****** ******** the *** ******* *** **** ********, as ***** *********** ****.

Impacted ***** *** ***

**** ******* ***** *** ****** *** impacted ** **** ** *** ***** service ** ******** ** ******* ** BioStar2 ***, ** *** **********, ***** a **** ****** ************* ** ***. Suprema **** ***** ******* *, ********** Middleware *********** *** ****** *** ******* any ***** ************ *** *** ********.

False ***** **** *******

******* ******* *******,** ***** **** ***** ***, **** **** *** *** ***** customer's ****:

**** **** ** ****** ** **** local ****** *** *** ***** ******************* *** ** ****** **** ***** server **** ** ******** *******. [******** added]

***** ** * ********* ** *******'* claim ***********:

Exposed ******* *** ****

*** *******, ** **** **** *****, is **** ********** ************* ****. ***** **** *** *** have ****** *********** '******' ** ***** 'server', **** **** ******* ********** ** their ***** *******. ***** *** ******* uses *** *******, *.*., ** *************** the ******* ** ***** ** *** service, ** ******* ****** ** ******.

*** *** ******** **** **** *******:

  • ******* *** **** ****** ******* **********, such **** ** ******, **** *** researchers, ******* *** *** ***** ** address / **** / ***, **** could ****** *******'* ***** ****.
  • ****** **** ** ***** **** ** things **** ********* ***** ** **** directly (*.*., ******** ** *******, ***.).

**** *** ************* **** ***. ***** is ** ************* *** ***** ** and *** ***** ** **** *** well *****. ******* **** ****, ** industry ******* ** * ****** ****** is*** ******** ******* *** ******** ****, ****** **** ******** ****** *** whole ********, *** **** *** ****. And ** ****** *****, ********** *** ******* ********* **** ****** passwords ** ***** ****.

**** ***** *** ******* **** ** significant ** **** **** *** **** - ******* ******* **** ***** **** logs ** ********* ***********.

** *** *********************** ** ***** *****, ****** ******* *** ***, **** were **** ** **** *** **** online, ** *** ********* ***** *****:

**** ** ********* **** ** ***** resources, **** **** **** ** *** extensive ******* ***** *******'* *********, *.*., below *** '*************' * ****** ** a *********** ****:

********, **** **** **** ** **** the ******** *** ********* ** ***** logging **, ** *** ******* (********) shows *****:

Clarify ***** ** *********** ****** ** *****

**** ** *** ***** ****** **** been *******, *.*.:

  • "**.* ******* *******" **** ******** *** those *** *** *******, *** ****** people, *** ***** *** ****** **** log ******* *** ****** ****. **** is *** ** ********** *** ******* but *** *** **** **.* ****** can ** ************.
  • *** '** ************ ******' ****** ** unclear, ** ****. ***** **** *****, such ******* ******** ******* *** ** ************ ******, the *********** *** *** *** ****. They ************ ** ************ ****** ** * customer ** ********** ** *** **** ** ******** customers ********, **** *** *** ******* the ** ************ ******.
  • ******: *** ********* **** ********* * Suprema / ***** *********** **** *** implication **** *** ** ************ ****** is ******** (******* *** ** ***** Police *** *****). **** ** ****** misleading. ***** **** ** *** ********* to *******'* ***** *** ***** ************** ***** *** ************ ** ******* / ***********.
  • *********'* ***** **** "*** ******** *** over *.* ******* ********* *************, *** all ** ***** ***** ** ********** to **** ****" ** ******* **** overstated. ******* **** ***** **** ****** of ************* ***, ** ********, **** do *** *** *** ******** ***** service.
  • **************'* **** ************** ** "****** ******’* ****** ************", this *** ** ** ** ******* metaphor, ** ****. ** ******** ** with *** ** *** *********** *** said **** **** *** *********** *********, not ****** ** ************, ****** ** the **** (*+ ******* '*********** *******').
  • '*********': ****, ********* ****** "******* *** change *** ************ ** ******** ******** to ***** *** *** ****** * user *******", *******, ********* **** ********* accessing *** **** *** *** ****** servers ***** *** *********** ******* *** stored, ** **** ***** ** **** to ****** *** *********** ******* ** the **** *** **** ***** *** hijack ** ******* ***** ***** *** matched ******* *** ****** ******* ** a ****'* ****.

'Stolen' *********** ******* ******* ****** ***

********* ********* ** ******* **** ******* was ******* *********** ********* ** ***** logs, **** **** ****** **** ****, though ** ** ******* *** ***********. vpnMentor **** **** *** *********** ******* were *** ******, ***** ** ******* a ******* (**** *** ********* **** unhashed). *******, ** *** *** **** how **** / ****** ***** *********** templates ***** ** ** ******** / spoofing ********** ************.

** *******, ************'* ****** ******* *** specific ****** **** ********* ********* **** one ****** ** **** ** *******. Also, *********** ********* ** *** ****** contain ****** ******* ** '******* ********' a *********** ********** '*****' ***********.

*********** ******* **** ********** ****** ** a ***** ****** ** ********* ('******') and **** ***** *** *************** ** those ********** ******* ****** ** ********* to ******* ********** ****** *****. '*********** matches' ** ******** ************* *** **** when ********** **** **** ****** ***** up **** *********, *** *** ********* do *** ******* '***** *****' *******.

*******'* ******** ********** ******************* *** ************** ** ******** **** compared ** **** ***** ******:

*** ***********, ***** ******* *** ***** biometric ************* ***, ** ****** '********** ********' ********, ***** **** ****** ****** ******** the ******* ********* ** * *****, but ******* **** **** ** *******. The ****** ** ****** ** ***** reduced ** ******** **** *****, *** at *** **** ** ********** ***** acceptance ** ***** ****** *****.

** *** '*************' ******* *****, **** the *********** ******** '**************' ******* ** '40', ***** ** **** ***** ***********'* ************** ** ** ** * minimum, '******* **** *********** ******* *** affect ******** ***********'.

** *********** *** ************** ** *********** data ** *********, ******** **** '*** quality' ******** **** ***** ** ****, the **** ** *********** ****-****** ****** to ***** **** ****** ********** ** likely * *** ****.

***** ********* ****** "**** *********** ***’* be *******" *** **** ** **** abstractly, *** ******* ** ********* ************ for ******** **** **** *** ** likely ** ** **** ****** **** they *****.

GDPR ********

***** ** ********** **** ******** **** as ******* ** ************* *** ******* (e.g.,******* ******** ** #* ** ****). ************ to ****, *********, ** **** ** biometric ****, *** ****** *** ******. Biometrics ** ** **** ** ******* concern ** *** **** *** ** is ******* ** ******* **** ********* or ******** ********** ** ***** **** data, ** *******'* ****** *****, ** we ****** *****, *** **** **** did *** ***** ******** ** *** cloud.

** *** ***** ****, *** ******** Suprema ***** ***** *** **** ***** this *** ***** ** ***** *** hackers, **** *** ****** ****** *** be ***, ****** **** ******* ** the ********* ** ****** ********** ** black *** ******* *** ***** ***** and ******* ********** *** ** *******'* records.

Financials ********

**** *** *** ******* **** ********* of *** ****** ******* ******, ******* is *** * ***** *******, ********** ~$43 ******* **** ******* **** ****** growth **** *** **** *** *****:

*** **** ******* ******* ** ***** financials ** ***** **** ****** **%+ net ****** *******.

*******, *** *******'* ********* *** ******* ~17% ***** *** **** *** **** public, ** *** ***** ***** *****:

Outlook **********

****** ******* ***** *** ************** ********* reluctant ** *** *** ***** ** vulnerabilities *** ***** ****** ********** *** employees ** ****.

**** *** ** *** ******* ********* companies ******** **** **** ***** *************** will ***** **** ** ********** *** use ** *** ***** ** ***** access ******* *** ***** ** ** issue *** ******* *** ***** ** come.

Comments (8)
JH
John Honovich
Aug 19, 2019
IPVM

******* ***** *****************, **** **** **** prominent ** ********** ***************:

** ******, *** '*** ** *** data' *** *****, **** **** *** those ***** **** ***** ******* *******. It ** ************ *** ****, ** any, ** ********** ******** ********* ***** Bond's *** ** ***** **** ***** feature.

** *** ***** ****, **** ** not ** ******** *** ******** ** the ******** *** ************** ******* *** here, **** **** **** ** ***** claims *** ****** *** ***********.

(1)
U
Undisclosed #1
Aug 19, 2019

** ******** ** **** *** ** the *********** *** **** **** **** was *********** *********, *** ****** ** fingerprints, ****** ** *** **** (*+ million '*********** *******').

****** **** ** *** ******* ** this ******** ****** ** ** ******** vague, **** ********** *** * ** not * *** ** ********* **** like **** ***** ** ************ ***** used ** ********* ** ****** *********** of *** ****.

***** ** **** *** **** **** ALL ********* *** ******* **** **** using **** ****** *-*** ********** * don't **** *********** ****** **** *********** that **** *********** * ****** ****** or ******.

********* *** **** *** ** *****. TFA ******* *** ** ******** ** replaced. **** *** *********** **** ** basically ********* ******, *** ** * society ** **** ******* ***** **** we're *** ***** ** ******** ***** and ****** **** **** ** ****.

*** *** **** *** **** ******** for ****-***, ******* **** **** ** large ****** ** ** ******** ** any ****** ****** ***** ****, ** that **** *** ******.

(1)
(1)
(2)
RL
Randy Lines
Aug 19, 2019

* *** *** ***** *** *** thing ***** ************ ** **** **** are *********** **** **** **-*********, ***-******* passwords **** ***** ***** ** ****** of ******** ****** (****** ****, ****, restaurants) ***** ***. *********** ** ****** be ******* ***** *** ******** ** the "***** ** ****" ********** ****** because ** ****, *********** ******** ** ...... *******.

**** ** *****, * ** ******* forward ** *** *** **** ********* are ***** ********* ********** ** **** security * **** ******** ******** ... this "*****, ** **** ** ****** ... **** ** * ***** ** free ****** **********" **** *** ***** companies.

** ******** ** **, * ******** they *** * ****** ** *********** ahead ** ******** ******** ********** ... mostly ******* **** **** ** *********** hammer ** ******* *** **** *** world *********** ********* ****.

**** * ***** *** :)

***

(2)
(1)
JH
John Honovich
Aug 19, 2019
IPVM

******:

*** ********* **** ********* * ******* / ***** *********** **** *** *********** that *** ** ************ ****** ** impacted (******* *** ** ***** ****** use *****). **** ** ****** **********. NEDAP **** ** *** ********* ** Suprema's ***** *** ***** ************** ***** *** ************ ** ******* / ***********.

** **** ***** ** **** ********* does *** ********** *** **** ************ work *** ***** ** *********** (***** I ***'* ***** **** **** *** it ** **** *** ***** *** familiar **** * ******** ***** ** draw * ***** **********). ** ********* made ***** **** **** ******** *** also **** ******** *** ******** ***** to *******.

(2)
(3)
Avatar
Scott Fischer
Aug 20, 2019
Lorica Consulting LLC • IPVMU Certified

**** ***'* ******** ** ***** **** with ***********-******** **-***-**** ********* **** ****? My ************* ** *** *** **** approach ** ********** ** **** *** fingerprint ** ********* *** ****** ** the ****. *** ******* ******* *** user's *********** ** *** ****** ***** on *** **** ****** **** ******* information **** *** ***** ** * database.

** ** *** ********* *** **** technology, *** * **** **** ******* into ** *** ***** ******* ** additional ***** ** ********.

(1)
(1)
JH
John Honovich
Aug 20, 2019
IPVM

******* *** ****** ** ************ ** their **** ****, ****** *****:

***** ** ******* *** ****** **** we **** ********. ** ** **** Suprema ****** **** ******* ** ***** about ********** ******* ****** ** *** future, ** **** ******.

(1)
JC
Jason Choy
Aug 22, 2019
Welcome Gate - Global

***** **** **** - * **** it *** *** **** **** ** these ******* ******, ******* **** ** quickly!! **** ** *** **** **** :)

** * ******** ****, **** ***** sort ** ****** ******, **** ** companies *** ******* ***** ******** ** for ***** *********?

** *** *********** ***** *** ** all ******* ***** *** ******** ********** or **** ***** ** *** ******* who ***** **?

***** ** **** ** *** ** idea ****** **** ******** ** ** are ********* *** ** *********** *** also **** ** ** ** *** "front-foot" *** **** **** ** **** and *** ***** ** *** *********.

(2)
U
Undisclosed
Aug 23, 2019

***** *** *** ********* *** ***** stream. * ******* *** **** ** art ** * "**** *****". "*** Mass ****" ****** **** *** ***** molasses ***** ** ********* ******** ***** - *********.