Suprema Biometric Mass Leak Examined

By John Honovich and Brian Rhodes, Published Aug 19, 2019, 07:45am EDT

While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past week from Tom's Hardware to Business Insider and even the BBC.

free image3 2

But what happened? Inside this report, we:

  • Explain what was leaked and how it was leaked
  • Contrast which Suprema users are impacted and which are not
  • Examine a key false claim Suprema made about their cloud service
  • Explore the two fundamental issues - exposed buckets and logging - that led to this leak
  • Clarify claims made in media reports about the leak
  • Examine the risk to the fingerprint records 'stolen'
  • Consider the potential GDPR risks and fines involved
  • Review Suprema's size, revenue, market capitalization, and stock price drop

Researcher ****** - *********

***** ***** *** ****** of ***** ******* *********** running *** **** *****, the ********** *** ******** source ** *************: ******: **** ****** in ********* ******** ******** Affecting ******** ** *****. *** ****** ********** **-****** ***** ***************** *** ******:

Executive *******

******* ***** ******** *** company's ******** ***** ******* are ******** ** ******* had ** ******* ***** data ***** (*** '*******') storing **** ** **** actions ** ***** **** including **** ******** ***********, passwords, *** *********** *********.

**** *** *** **** secured / ***** ********* to **** *** *********** and *** *******.

** ** *** ***** if ****** **** *** accessed ***** ******* ****** they ********* ***** ** as **** **** ******** accessible *** ****** ******** the *** ******* *** such ********, ** ***** researchers ****.

Impacted ***** *** ***

**** ******* ***** *** likely *** ******** ** this ** *** ***** service ** ******** ** default ** ******** ***, in *** **********, ***** a **** ****** ************* to ***. ******* **** noted ******* *, ********** Middleware *********** *** ****** SDK ******* *** ***** integrations *** *** ********.

False ***** **** *******

******* ******* *******,** ***** **** ***** FAQ, **** **** *** not ***** ********'* ****:

**** **** ** ****** in **** ***** ****** and *** ***** ******************* *** ** ****** your ***** ****** **** an ******** *******. [******** added]

***** ** * ********* of *******'* ***** ***********:

Exposed ******* *** ****

*** *******, ** **** leak *****, ** **** Suprema*** ************* ****. ***** **** may *** **** ****** permanently '******' ** ***** 'server', **** **** ******* activities ** ***** ***** service. ***** *** ******* uses *** *******, *.*., in *************** *** ******* or ***** ** *** service, ** ******* ****** is ******.

*** *** ******** **** that *******:

  • ******* *** **** ****** without **********, **** **** if ******, **** *** researchers, ******* *** *** right ** ******* / port / ***, **** could ****** *******'* ***** logs.
  • ****** **** ** ***** text ** ****** **** passwords ***** ** **** directly (*.*., ******** ** abc1234, ***.).

**** *** ************* **** bad. ***** ** ** justification *** ***** ** and *** ***** ** this *** **** *****. Earlier **** ****, ** industry ******* ** * leaked ****** ***** ******** ******* *** provider ****, ****** **** ******** leaked *** ***** ********, not **** *** ****. And ** ****** *****, both****** *** ******* ********* they ****** ********* ** plain ****.

**** ***** *** ******* case ** *********** ** that **** *** **** - ******* ******* **** plain **** **** ** sensitive ***********.

** *** *********************** ** ***** *****, ****** ******* *** URL, **** **** **** to **** *** **** online, ** *** ********* below *****:

**** ** ********* **** of ***** *********, **** were **** ** *** extensive ******* ***** *******'* customers, *.*., ***** *** 'powerworldgym' * ****** ** a *********** ****:

********, **** **** **** to **** *** ******** and ********* ** ***** logging **, ** *** excerpt (********) ***** *****:

Clarify ***** ** *********** ****** ** *****

**** ** *** ***** claims **** **** *******, e.g.:

  • "**.* ******* *******" **** involved *** ***** *** log *******, *** ****** people, *** ***** *** likely **** *** ******* per ****** ****. **** is *** ** ********** the ******* *** *** top **** **.* ****** can ** ************.
  • *** '** ************ ******' impact ** *******, ** best. ***** **** *****, such ******* ******** ******* *** ** Metropolitan ******, *** *********** did *** *** ****. They ************ ** ************ ****** as * ******** ** Suprema*** ** *** **** of ******** ********* ********, they *** *** ******* the ** ************ ******.
  • ******: *** ********* **** conflates * ******* / NEDAP *********** **** *** implication **** *** ** Metropolitan ****** ** ******** (because *** ** ***** Police *** *****). **** is ****** **********. ***** AEOS ** *** ********* to *******'* ***** *** NEDAP ************** ***** *** ************ to ******* / ***********.
  • *********'* ***** **** "*** platform *** **** *.* million ********* *************, *** all ** ***** ***** be ********** ** **** leak" ** ******* **** overstated. ******* **** ***** that ****** ** ************* but, ** ********, **** do *** *** *** optional ***** *******.
  • **************'* **** ************** ** "****** ******’* actual ************", **** *** to ** ** ******* metaphor, ** ****. ** followed ** **** *** of *** *********** *** said **** **** *** fingerprint *********, *** ****** of ************, ****** ** the **** (*+ ******* 'fingerprint *******').
  • '*********': ****, ********* ****** "hackers *** ****** *** fingerprints ** ******** ******** to ***** *** *** hijack * **** *******", however, ********* **** ********* accessing *** **** *** the ****** ******* ***** the *********** ******* *** stored, ** **** ***** be **** ** ****** the *********** ******* ** the **** *** **** would *** ****** ** account ***** ***** *** matched ******* *** ****** servers ** * ****'* site.

'Stolen' *********** ******* ******* ****** ***

********* ********* ** ******* that ******* *** ******* fingerprint ********* ** ***** logs, **** **** ****** some ****, ****** ** is ******* *** ***********. vpnMentor **** **** *** fingerprint ******* **** *** hashed, ***** ** ******* a ******* (**** *** passwords **** ********). *******, we *** *** **** how **** / ****** those *********** ********* ***** be ** ******** / spoofing ********** ************.

** *******, ************'* ****** sensors *** ******** ****** that ********* ********* **** one ****** ** **** in *******. ****, *********** templates ** *** ****** contain ****** ******* ** 'reverse ********' * *********** applicable '*****' ***********.

*********** ******* **** ********** prints ** * ***** number ** ********* ('******') and **** ***** *** characteristics ** ***** ********** sampled ****** ** ********* to ******* ********** ****** scans. '*********** *******' ** identity ************* *** **** when ********** **** **** points ***** ** **** templates, *** *** ********* do *** ******* '***** print' *******.

*******'* ******** ********** ******************* *** ************** ** template **** ******** ** full ***** ******:

*** ***********, ***** ******* and ***** ********* ************* use, ** ****** '********** ********' ********, ***** **** ****** points ******** *** ******* certainty ** * *****, but ******* **** **** to *******. *** ****** of ****** ** ***** reduced ** ******** **** speed, *** ** *** risk ** ********** ***** acceptance ** ***** ****** rates.

** *** '*************' ******* above, **** *** *********** template '**************' ******* ** '40', ***** ** **** lower ***********'* ************** ** ** as * *******, '******* **** *********** quality *** ****** ******** performance'.

** *********** *** ************** of *********** **** ** templates, ******** **** '*** quality' ******** **** ***** be ****, *** **** of *********** ****-****** ****** to ***** **** ****** identities ** ****** * low ****.

***** ********* ****** "**** fingerprint ***’* ** *******" and **** ** **** abstractly, *** ******* ** recording ************ *** ******** does **** *** ** likely ** ** **** useful **** **** *****.

GDPR ********

***** ** ********** **** concerns **** ** ******* EU ************* *** ******* (e.g.,******* ******** ** #* ** EMEA). ************ ** ****, usernames, ** **** ** biometric ****, *** ****** and ******. ********** ** an **** ** ******* concern ** *** **** and ** ** ******* if ******* **** ********* or ******** ********** ** store **** ****, ** Suprema's ****** *****, ** we ****** *****, *** that **** *** *** store ******** ** *** cloud.

** *** ***** ****, one ******** ******* ***** argue *** **** ***** this *** ***** ** white *** *******, **** the ****** ****** *** be ***, ****** **** depends ** *** ********* to ****** ********** ** black *** ******* *** their ***** *** ******* downloaded *** ** *******'* records.

Financials ********

**** *** *** ******* size ********* ** *** access ******* ******, ******* is *** * ***** company, ********** ~$** ******* 2018 ******* **** ****** growth **** *** **** few *****:

*** **** ******* ******* of ***** ********** ** their **** ****** **%+ net ****** *******.

*******, *** *******'* ********* has ******* ~**% ***** the **** *** **** public, ** *** ***** below *****:

Outlook **********

****** ******* ***** *** understandably ********* ********* ** use *** ***** ** vulnerabilities *** ***** ****** facilities *** ********* ** risk.

**** *** ** *** biggest ********* ********* ******** from **** ***** *************** will ***** **** ** reconsider *** *** ** the ***** ** ***** access ******* *** ***** be ** ***** *** Suprema *** ***** ** come.

Comments (8)

John Honovich

IPVM | 08/19/19 02:11pm

******* ***** *****************, **** time **** ********* ** partner*** ***************:

** ******, *** '*** of *** ****' *** there, **** **** *** those ***** **** ***** connect *******. ** ** questionable *** ****, ** any, ** ********** ******** including ***** ****'* *** is ***** **** ***** feature.

** *** ***** ****, this ** *** ** discount *** ******** ** the ******** *** ************** Suprema *** ****, **** that **** ** ***** claims *** ****** *** exaggerated.

Undisclosed #1

08/19/19 03:57pm

** ******** ** **** one ** *** *********** who **** **** **** was *********** *********, *** photos ** ************, ****** in *** **** (*+ million '*********** *******').

****** **** ** *** details ** **** ******** appear ** ** ******** vague, **** ********** *** I ** *** * fan ** ********* **** like **** ***** ** fingerprints ***** **** ** passwords ** ****** *********** of *** ****.

***** ** **** *** sure **** *** ********* are ******* **** **** using **** ****** *-*** encryption * ***'* **** comfortable ****** **** *********** that **** *********** * cannot ****** ** ******.

********* *** **** *** be *****. *** ******* can ** ******** ** replaced. **** *** *********** data ** ********* ********* though, *** ** * society ** **** ******* shown **** **'** *** ready ** ******** ***** and ****** **** **** of ****.

*** *** **** *** same ******** *** ****-***, however **** **** ** large ****** ** ** captured ** *** ****** camera ***** ****, ** that **** *** ******.

Randy Lines

08/19/19 04:47pm

* *** *** ***** but *** ***** ***** fingerprints ** **** **** are *********** **** **** un-encrypted, ***-******* ********* **** users ***** ** ****** of ******** ****** (****** cups, ****, ***********) ***** day. *********** ** ****** be ******* ***** *** security ** *** "***** of ****" ********** ****** because ** ****, *********** password ** ...... *******.

**** ** *****, * am ******* ******* ** the *** **** ********* are ***** ********* ********** to **** ******** * good ******** ******** ... this "*****, ** **** do ****** ... **** is * ***** ** free ****** **********" **** not ***** *********.

** ******** ** **, I ******** **** *** a ****** ** *********** ahead ** ******** ******** technology ... ****** ******* they **** ** *********** hammer ** ******* *** over *** ***** *********** attacking ****.

**** * ***** *** :)

***

John Honovich

IPVM | 08/19/19 05:29pm

******:

*** ********* **** ********* a ******* / ***** integration **** *** *********** that *** ** ************ police ** ******** (******* the ** ***** ****** use *****). **** ** highly **********. ***** **** is *** ********* ** Suprema's ***** *** ***** actually****** ***** *** ************ to ******* / ***********.

** **** ***** ** that ********* **** *** understand *** **** ************ work *** ***** ** conclusions (***** * ***'* think **** **** *** it ** **** *** those *** ******** **** a ******** ***** ** draw * ***** **********). It ********* **** ***** post **** ******** *** also **** ******** *** unfairly ***** ** *******.

Avatar

Scott Fischer

Lorica Consulting LLC
IPVMU Certified | 08/20/19 12:44pm

**** ***'* ******** ** using **** **** ***********-******** on-the-card ********* **** ****? My ************* ** *** HID **** ******** ** biometrics ** **** *** fingerprint ** ********* *** stored ** *** ****. The ******* ******* *** user's *********** ** *** stored ***** ** *** card ****** **** ******* information **** *** ***** to * ********.

** ** *** ********* use **** **********, *** I **** **** ******* into ** *** ***** needing ** ********** ***** of ********.

John Honovich

IPVM | 08/20/19 12:53pm

******* *** ****** ** announcement ** ***** **** page, ****** *****:

***** ** ******* *** versus **** ** **** reported. ** ** **** Suprema ****** **** ******* or ***** ***** ********** further ****** ** *** future, ** **** ******.

Jason Choy

08/22/19 07:14am

***** **** **** - I **** ** *** you **** **** ** these ******* ******, ******* them ** *******!! **** up *** **** **** :)

** * ******** ****, when ***** **** ** things ******, **** ** companies *** ******* ***** products ** *** ***** customers?

** *** *********** ***** out ** *** ******* using *** ******** ********** or **** ***** ** the ******* *** ***** it?

***** ** **** ** get ** **** ****** best ******** ** ** are ********* *** ** scaremonger *** **** **** to ** ** *** "front-foot" *** **** **** we **** *** *** aware ** *** *********.

Undisclosed

08/23/19 03:29pm

***** *** *** ********* the ***** ******. * believe *** **** ** art ** * "**** spill". "*** **** ****" sounds **** *** ***** molasses ***** ** ********* ******** ***** - Wikipedia.

Read this IPVM report for free.

This article is part of IPVM's 6,804 reports, 913 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports