Suprema Biometric Mass Leak Examined

By: John Honovich and Brian Rhodes, Published on Aug 19, 2019

While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past week from Tom's Hardware to Business Insider and even the BBC.

free image3 2

But what happened? Inside this report, we:

  • Explain what was leaked and how it was leaked
  • Contrast which Suprema users are impacted and which are not
  • Examine a key false claim Suprema made about their cloud service
  • Explore the two fundamental issues - exposed buckets and logging - that led to this leak
  • Clarify claims made in media reports about the leak
  • Examine the risk to the fingerprint records 'stolen'
  • Consider the potential GDPR risks and fines involved
  • Review Suprema's size, revenue, market capitalization, and stock price drop

***** ******* ** ****** discussed **** ****** *** physical ******** ******, *** South ****** ********** ************ made ****** **** **** past ******** ***'* ********** ******** ************** *** ***.

free image3 2

*** **** ********? ****** this ******, **:

  • ******* **** *** ****** and *** ** *** leaked
  • ******** ***** ******* ***** are ******** *** ***** are ***
  • ******* * *** ***** claim ******* **** ***** their ***** *******
  • ******* *** *** *********** issues - ******* ******* and ******* - **** led ** **** ****
  • ******* ****** **** ** media ******* ***** *** leak
  • ******* *** **** ** the *********** ******* '******'
  • ******** *** ********* **** risks *** ***** ********
  • ****** *******'* ****, *******, market **************, *** ***** price ****

[***************]

Researcher ****** - *********

***** ***** *** ****** of ***** ******* *********** running *** **** *****, the ********** *** ******** source ** *************: ******: **** ****** in ********* ******** ******** Affecting ******** ** *****. *** ****** ********** **-****** ***** ***************** *** ******:

Executive *******

******* ***** ******** *** company's ******** ***** ******* are ******** ** ******* had ** ******* ***** data ***** (*** '*******') storing **** ** **** actions ** ***** **** including **** ******** ***********, passwords, *** *********** *********.

**** *** *** **** secured / ***** ********* to **** *** *********** and *** *******.

** ** *** ***** if ****** **** *** accessed ***** ******* ****** they ********* ***** ** as **** **** ******** accessible *** ****** ******** the *** ******* *** such ********, ** ***** researchers ****.

Impacted ***** *** ***

**** ******* ***** *** likely *** ******** ** this ** *** ***** service ** ******** ** default ** ******** ***, in *** **********, ***** a **** ****** ************* to ***. ******* **** noted ******* *, ********** Middleware *********** *** ****** SDK ******* *** ***** integrations *** *** ********.

False ***** **** *******

******* ******* *******,** ***** **** ***** FAQ, **** **** *** not ***** ********'* ****:

**** **** ** ****** in **** ***** ****** and *** ***** ******************* *** ** ****** your ***** ****** **** an ******** *******. [******** added]

***** ** * ********* of *******'* ***** ***********:

Exposed ******* *** ****

*** *******, ** **** leak *****, ** **** Suprema*** ************* ****. ***** **** may *** **** ****** permanently '******' ** ***** 'server', **** **** ******* activities ** ***** ***** service. ***** *** ******* uses *** *******, *.*., in *************** *** ******* or ***** ** *** service, ** ******* ****** is ******.

*** *** ******** **** that *******:

  • ******* *** **** ****** without **********, **** **** if ******, **** *** researchers, ******* *** *** right ** ******* / port / ***, **** could ****** *******'* ***** logs.
  • ****** **** ** ***** text ** ****** **** passwords ***** ** **** directly (*.*., ******** ** abc1234, ***.).

**** *** ************* **** bad. ***** ** ** justification *** ***** ** and *** ***** ** this *** **** *****. Earlier **** ****, ** industry ******* ** * leaked ****** ***** ******** ******* *** provider ****, ****** **** ******** leaked *** ***** ********, not **** *** ****. And ** ****** *****, both****** *** ******* ********* they ****** ********* ** plain ****.

**** ***** *** ******* case ** *********** ** that **** *** **** - ******* ******* **** plain **** **** ** sensitive ***********.

** *** *********************** ** ***** *****, ****** ******* *** URL, **** **** **** to **** *** **** online, ** *** ********* below *****:

**** ** ********* **** of ***** *********, **** were **** ** *** extensive ******* ***** *******'* customers, *.*., ***** *** 'powerworldgym' * ****** ** a *********** ****:

********, **** **** **** to **** *** ******** and ********* ** ***** logging **, ** *** excerpt (********) ***** *****:

Clarify ***** ** *********** ****** ** *****

**** ** *** ***** claims **** **** *******, e.g.:

  • "**.* ******* *******" **** involved *** ***** *** log *******, *** ****** people, *** ***** *** likely **** *** ******* per ****** ****. **** is *** ** ********** the ******* *** *** top **** **.* ****** can ** ************.
  • *** '** ************ ******' impact ** *******, ** best. ***** **** *****, such ******* ******** ******* *** ** Metropolitan ******, *** *********** did *** *** ****. They ************ ** ************ ****** as * ******** ** Suprema*** ** *** **** of ******** ********* ********, they *** *** ******* the ** ************ ******.
  • ******: *** ********* **** conflates * ******* / NEDAP *********** **** *** implication **** *** ** Metropolitan ****** ** ******** (because *** ** ***** Police *** *****). **** is ****** **********. ***** AEOS ** *** ********* to *******'* ***** *** NEDAP ************** ***** *** ************ to ******* / ***********.
  • *********'* ***** **** "*** platform *** **** *.* million ********* *************, *** all ** ***** ***** be ********** ** **** leak" ** ******* **** overstated. ******* **** ***** that ****** ** ************* but, ** ********, **** do *** *** *** optional ***** *******.
  • **************'* **** ************** ** "****** ******’* actual ************", **** *** to ** ** ******* metaphor, ** ****. ** followed ** **** *** of *** *********** *** said **** **** *** fingerprint *********, *** ****** of ************, ****** ** the **** (*+ ******* 'fingerprint *******').
  • '*********': ****, ********* ****** "hackers *** ****** *** fingerprints ** ******** ******** to ***** *** *** hijack * **** *******", however, ********* **** ********* accessing *** **** *** the ****** ******* ***** the *********** ******* *** stored, ** **** ***** be **** ** ****** the *********** ******* ** the **** *** **** would *** ****** ** account ***** ***** *** matched ******* *** ****** servers ** * ****'* site.

'Stolen' *********** ******* ******* ****** ***

********* ********* ** ******* that ******* *** ******* fingerprint ********* ** ***** logs, **** **** ****** some ****, ****** ** is ******* *** ***********. vpnMentor **** **** *** fingerprint ******* **** *** hashed, ***** ** ******* a ******* (**** *** passwords **** ********). *******, we *** *** **** how **** / ****** those *********** ********* ***** be ** ******** / spoofing ********** ************.

** *******, ************'* ****** sensors *** ******** ****** that ********* ********* **** one ****** ** **** in *******. ****, *********** templates ** *** ****** contain ****** ******* ** 'reverse ********' * *********** applicable '*****' ***********.

*********** ******* **** ********** prints ** * ***** number ** ********* ('******') and **** ***** *** characteristics ** ***** ********** sampled ****** ** ********* to ******* ********** ****** scans. '*********** *******' ** identity ************* *** **** when ********** **** **** points ***** ** **** templates, *** *** ********* do *** ******* '***** print' *******.

*******'* ******** ********** ******************* *** ************** ** template **** ******** ** full ***** ******:

*** ***********, ***** ******* and ***** ********* ************* use, ** ****** '********** ********' ********, ***** **** ****** points ******** *** ******* certainty ** * *****, but ******* **** **** to *******. *** ****** of ****** ** ***** reduced ** ******** **** speed, *** ** *** risk ** ********** ***** acceptance ** ***** ****** rates.

** *** '*************' ******* above, **** *** *********** template '**************' ******* ** '40', ***** ** **** lower ***********'* ************** ** ** as * *******, '******* **** *********** quality *** ****** ******** performance'.

** *********** *** ************** of *********** **** ** templates, ******** **** '*** quality' ******** **** ***** be ****, *** **** of *********** ****-****** ****** to ***** **** ****** identities ** ****** * low ****.

***** ********* ****** "**** fingerprint ***’* ** *******" and **** ** **** abstractly, *** ******* ** recording ************ *** ******** does **** *** ** likely ** ** **** useful **** **** *****.

GDPR ********

***** ** ********** **** concerns **** ** ******* EU ************* *** ******* (e.g.,******* ******** ** #* ** EMEA). ************ ** ****, usernames, ** **** ** biometric ****, *** ****** and ******. ********** ** an **** ** ******* concern ** *** **** and ** ** ******* if ******* **** ********* or ******** ********** ** store **** ****, ** Suprema's ****** *****, ** we ****** *****, *** that **** *** *** store ******** ** *** cloud.

** *** ***** ****, one ******** ******* ***** argue *** **** ***** this *** ***** ** white *** *******, **** the ****** ****** *** be ***, ****** **** depends ** *** ********* to ****** ********** ** black *** ******* *** their ***** *** ******* downloaded *** ** *******'* records.

Financials ********

**** *** *** ******* size ********* ** *** access ******* ******, ******* is *** * ***** company, ********** ~$** ******* 2018 ******* **** ****** growth **** *** **** few *****:

*** **** ******* ******* of ***** ********** ** their **** ****** **%+ net ****** *******.

*******, *** *******'* ********* has ******* ~**% ***** the **** *** **** public, ** *** ***** below *****:

Outlook **********

****** ******* ***** *** understandably ********* ********* ** use *** ***** ** vulnerabilities *** ***** ****** facilities *** ********* ** risk.

**** *** ** *** biggest ********* ********* ******** from **** ***** *************** will ***** **** ** reconsider *** *** ** the ***** ** ***** access ******* *** ***** be ** ***** *** Suprema *** ***** ** come.

Comments (8)

John Honovich

IPVM | 08/19/19 02:11pm

******* ***** *****************, **** time **** ********* ** partner*** ***************:

** ******, *** '*** of *** ****' *** there, **** **** *** those ***** **** ***** connect *******. ** ** questionable *** ****, ** any, ** ********** ******** including ***** ****'* *** is ***** **** ***** feature.

** *** ***** ****, this ** *** ** discount *** ******** ** the ******** *** ************** Suprema *** ****, **** that **** ** ***** claims *** ****** *** exaggerated.

Undisclosed #1

08/19/19 03:57pm

** ******** ** **** one ** *** *********** who **** **** **** was *********** *********, *** photos ** ************, ****** in *** **** (*+ million '*********** *******').

****** **** ** *** details ** **** ******** appear ** ** ******** vague, **** ********** *** I ** *** * fan ** ********* **** like **** ***** ** fingerprints ***** **** ** passwords ** ****** *********** of *** ****.

***** ** **** *** sure **** *** ********* are ******* **** **** using **** ****** *-*** encryption * ***'* **** comfortable ****** **** *********** that **** *********** * cannot ****** ** ******.

********* *** **** *** be *****. *** ******* can ** ******** ** replaced. **** *** *********** data ** ********* ********* though, *** ** * society ** **** ******* shown **** **'** *** ready ** ******** ***** and ****** **** **** of ****.

*** *** **** *** same ******** *** ****-***, however **** **** ** large ****** ** ** captured ** *** ****** camera ***** ****, ** that **** *** ******.

Randy Lines

08/19/19 04:47pm

* *** *** ***** but *** ***** ***** fingerprints ** **** **** are *********** **** **** un-encrypted, ***-******* ********* **** users ***** ** ****** of ******** ****** (****** cups, ****, ***********) ***** day. *********** ** ****** be ******* ***** *** security ** *** "***** of ****" ********** ****** because ** ****, *********** password ** ...... *******.

**** ** *****, * am ******* ******* ** the *** **** ********* are ***** ********* ********** to **** ******** * good ******** ******** ... this "*****, ** **** do ****** ... **** is * ***** ** free ****** **********" **** not ***** *********.

** ******** ** **, I ******** **** *** a ****** ** *********** ahead ** ******** ******** technology ... ****** ******* they **** ** *********** hammer ** ******* *** over *** ***** *********** attacking ****.

**** * ***** *** :)

***

John Honovich

IPVM | 08/19/19 05:29pm

******:

*** ********* **** ********* a ******* / ***** integration **** *** *********** that *** ** ************ police ** ******** (******* the ** ***** ****** use *****). **** ** highly **********. ***** **** is *** ********* ** Suprema's ***** *** ***** actually****** ***** *** ************ to ******* / ***********.

** **** ***** ** that ********* **** *** understand *** **** ************ work *** ***** ** conclusions (***** * ***'* think **** **** *** it ** **** *** those *** ******** **** a ******** ***** ** draw * ***** **********). It ********* **** ***** post **** ******** *** also **** ******** *** unfairly ***** ** *******.

Avatar

Scott Fischer

Lorica Consulting LLC
IPVMU Certified | 08/20/19 12:44pm

**** ***'* ******** ** using **** **** ***********-******** on-the-card ********* **** ****? My ************* ** *** HID **** ******** ** biometrics ** **** *** fingerprint ** ********* *** stored ** *** ****. The ******* ******* *** user's *********** ** *** stored ***** ** *** card ****** **** ******* information **** *** ***** to * ********.

** ** *** ********* use **** **********, *** I **** **** ******* into ** *** ***** needing ** ********** ***** of ********.

John Honovich

IPVM | 08/20/19 12:53pm

******* *** ****** ** announcement ** ***** **** page, ****** *****:

***** ** ******* *** versus **** ** **** reported. ** ** **** Suprema ****** **** ******* or ***** ***** ********** further ****** ** *** future, ** **** ******.

Jason Choy

08/22/19 07:14am

***** **** **** - I **** ** *** you **** **** ** these ******* ******, ******* them ** *******!! **** up *** **** **** :)

** * ******** ****, when ***** **** ** things ******, **** ** companies *** ******* ***** products ** *** ***** customers?

** *** *********** ***** out ** *** ******* using *** ******** ********** or **** ***** ** the ******* *** ***** it?

***** ** **** ** get ** **** ****** best ******** ** ** are ********* *** ** scaremonger *** **** **** to ** ** *** "front-foot" *** **** **** we **** *** *** aware ** *** *********.

Undisclosed

08/23/19 03:29pm

***** *** *** ********* the ***** ******. * believe *** **** ** art ** * "**** spill". "*** **** ****" sounds **** *** ***** molasses ***** ** ********* ******** ***** - Wikipedia.

Login to read this IPVM report.

Related Reports

Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Don't Deceive. Lessons From Scott Schafer on Mar 20, 2020
Deception is bad. We can learn some important lessons from Scott Schafer, a...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Terrible Convergint Coronavirus Thermal Camera Recommendation on Apr 01, 2020
A week after Convergint disclosed falling revenue, pay and job cuts,...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Monitoreal "Completely Autonomous" Home AI Tested on Feb 12, 2020
Monitoreal claims to allow users to "see the things you want (people,...
Faked Convergint Fever Camera 'Expert' Marketing on Jun 16, 2020
Convergint touts they are "THERMAL CAMERA SOLUTION EXPERTS" while faking...
Video Analytics 101 on Mar 16, 2020
This guide teaches the fundamentals of video surveillance...
FDA Gives Guidance on 'Coronavirus' Thermal Fever Detection Systems on Mar 30, 2020
The US FDA has given IPVM guidance on the use of thermal fever detection...
Worst Camera Manufacturers 2020 on May 06, 2020
Which camera manufacturer have integrators had the worst experience with in...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...