Suprema Biometric Mass Leak Examined

By John Honovich and Brian Rhodes, Published Aug 19, 2019, 07:45am EDT

While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past week from Tom's Hardware to Business Insider and even the BBC.

free image3 2

But what happened? Inside this report, we:

  • Explain what was leaked and how it was leaked
  • Contrast which Suprema users are impacted and which are not
  • Examine a key false claim Suprema made about their cloud service
  • Explore the two fundamental issues - exposed buckets and logging - that led to this leak
  • Clarify claims made in media reports about the leak
  • Examine the risk to the fingerprint records 'stolen'
  • Consider the potential GDPR risks and fines involved
  • Review Suprema's size, revenue, market capitalization, and stock price drop

Researcher ****** - *********

***** ***** *** ****** of ***** ******* *********** running *** **** *****, the ********** *** ******** source ** *************: ******: **** ****** in ********* ******** ******** Affecting ******** ** *****. *** ****** ********** **-****** ***** ***************** *** ******:

Executive *******

******* ***** ******** *** company's ******** ***** ******* are ******** ** ******* had ** ******* ***** data ***** (*** '*******') storing **** ** **** actions ** ***** **** including **** ******** ***********, passwords, *** *********** *********.

**** *** *** **** secured / ***** ********* to **** *** *********** and *** *******.

** ** *** ***** if ****** **** *** accessed ***** ******* ****** they ********* ***** ** as **** **** ******** accessible *** ****** ******** the *** ******* *** such ********, ** ***** researchers ****.

Impacted ***** *** ***

**** ******* ***** *** likely *** ******** ** this ** *** ***** service ** ******** ** default ** ******** ***, in *** **********, ***** a **** ****** ************* to ***. ******* **** noted ******* *, ********** Middleware *********** *** ****** SDK ******* *** ***** integrations *** *** ********.

False ***** **** *******

******* ******* *******,** ***** **** ***** FAQ, **** **** *** not ***** ********'* ****:

**** **** ** ****** in **** ***** ****** and *** ***** ******************* *** ** ****** your ***** ****** **** an ******** *******. [******** added]

***** ** * ********* of *******'* ***** ***********:

Exposed ******* *** ****

*** *******, ** **** leak *****, ** **** Suprema*** ************* ****. ***** **** may *** **** ****** permanently '******' ** ***** 'server', **** **** ******* activities ** ***** ***** service. ***** *** ******* uses *** *******, *.*., in *************** *** ******* or ***** ** *** service, ** ******* ****** is ******.

*** *** ******** **** that *******:

  • ******* *** **** ****** without **********, **** **** if ******, **** *** researchers, ******* *** *** right ** ******* / port / ***, **** could ****** *******'* ***** logs.
  • ****** **** ** ***** text ** ****** **** passwords ***** ** **** directly (*.*., ******** ** abc1234, ***.).

**** *** ************* **** bad. ***** ** ** justification *** ***** ** and *** ***** ** this *** **** *****. Earlier **** ****, ** industry ******* ** * leaked ****** ***** ******** ******* *** provider ****, ****** **** ******** leaked *** ***** ********, not **** *** ****. And ** ****** *****, both****** *** ******* ********* they ****** ********* ** plain ****.

**** ***** *** ******* case ** *********** ** that **** *** **** - ******* ******* **** plain **** **** ** sensitive ***********.

** *** *********************** ** ***** *****, ****** ******* *** URL, **** **** **** to **** *** **** online, ** *** ********* below *****:

**** ** ********* **** of ***** *********, **** were **** ** *** extensive ******* ***** *******'* customers, *.*., ***** *** 'powerworldgym' * ****** ** a *********** ****:

********, **** **** **** to **** *** ******** and ********* ** ***** logging **, ** *** excerpt (********) ***** *****:

Clarify ***** ** *********** ****** ** *****

**** ** *** ***** claims **** **** *******, e.g.:

  • "**.* ******* *******" **** involved *** ***** *** log *******, *** ****** people, *** ***** *** likely **** *** ******* per ****** ****. **** is *** ** ********** the ******* *** *** top **** **.* ****** can ** ************.
  • *** '** ************ ******' impact ** *******, ** best. ***** **** *****, such ******* ******** ******* *** ** Metropolitan ******, *** *********** did *** *** ****. They ************ ** ************ ****** as * ******** ** Suprema*** ** *** **** of ******** ********* ********, they *** *** ******* the ** ************ ******.
  • ******: *** ********* **** conflates * ******* / NEDAP *********** **** *** implication **** *** ** Metropolitan ****** ** ******** (because *** ** ***** Police *** *****). **** is ****** **********. ***** AEOS ** *** ********* to *******'* ***** *** NEDAP ************** ***** *** ************ to ******* / ***********.
  • *********'* ***** **** "*** platform *** **** *.* million ********* *************, *** all ** ***** ***** be ********** ** **** leak" ** ******* **** overstated. ******* **** ***** that ****** ** ************* but, ** ********, **** do *** *** *** optional ***** *******.
  • **************'* **** ************** ** "****** ******’* actual ************", **** *** to ** ** ******* metaphor, ** ****. ** followed ** **** *** of *** *********** *** said **** **** *** fingerprint *********, *** ****** of ************, ****** ** the **** (*+ ******* 'fingerprint *******').
  • '*********': ****, ********* ****** "hackers *** ****** *** fingerprints ** ******** ******** to ***** *** *** hijack * **** *******", however, ********* **** ********* accessing *** **** *** the ****** ******* ***** the *********** ******* *** stored, ** **** ***** be **** ** ****** the *********** ******* ** the **** *** **** would *** ****** ** account ***** ***** *** matched ******* *** ****** servers ** * ****'* site.

'Stolen' *********** ******* ******* ****** ***

********* ********* ** ******* that ******* *** ******* fingerprint ********* ** ***** logs, **** **** ****** some ****, ****** ** is ******* *** ***********. vpnMentor **** **** *** fingerprint ******* **** *** hashed, ***** ** ******* a ******* (**** *** passwords **** ********). *******, we *** *** **** how **** / ****** those *********** ********* ***** be ** ******** / spoofing ********** ************.

** *******, ************'* ****** sensors *** ******** ****** that ********* ********* **** one ****** ** **** in *******. ****, *********** templates ** *** ****** contain ****** ******* ** 'reverse ********' * *********** applicable '*****' ***********.

*********** ******* **** ********** prints ** * ***** number ** ********* ('******') and **** ***** *** characteristics ** ***** ********** sampled ****** ** ********* to ******* ********** ****** scans. '*********** *******' ** identity ************* *** **** when ********** **** **** points ***** ** **** templates, *** *** ********* do *** ******* '***** print' *******.

*******'* ******** ********** ******************* *** ************** ** template **** ******** ** full ***** ******:

*** ***********, ***** ******* and ***** ********* ************* use, ** ****** '********** ********' ********, ***** **** ****** points ******** *** ******* certainty ** * *****, but ******* **** **** to *******. *** ****** of ****** ** ***** reduced ** ******** **** speed, *** ** *** risk ** ********** ***** acceptance ** ***** ****** rates.

** *** '*************' ******* above, **** *** *********** template '**************' ******* ** '40', ***** ** **** lower ***********'* ************** ** ** as * *******, '******* **** *********** quality *** ****** ******** performance'.

** *********** *** ************** of *********** **** ** templates, ******** **** '*** quality' ******** **** ***** be ****, *** **** of *********** ****-****** ****** to ***** **** ****** identities ** ****** * low ****.

***** ********* ****** "**** fingerprint ***’* ** *******" and **** ** **** abstractly, *** ******* ** recording ************ *** ******** does **** *** ** likely ** ** **** useful **** **** *****.

GDPR ********

***** ** ********** **** concerns **** ** ******* EU ************* *** ******* (e.g.,******* ******** ** #* ** EMEA). ************ ** ****, usernames, ** **** ** biometric ****, *** ****** and ******. ********** ** an **** ** ******* concern ** *** **** and ** ** ******* if ******* **** ********* or ******** ********** ** store **** ****, ** Suprema's ****** *****, ** we ****** *****, *** that **** *** *** store ******** ** *** cloud.

** *** ***** ****, one ******** ******* ***** argue *** **** ***** this *** ***** ** white *** *******, **** the ****** ****** *** be ***, ****** **** depends ** *** ********* to ****** ********** ** black *** ******* *** their ***** *** ******* downloaded *** ** *******'* records.

Financials ********

**** *** *** ******* size ********* ** *** access ******* ******, ******* is *** * ***** company, ********** ~$** ******* 2018 ******* **** ****** growth **** *** **** few *****:

*** **** ******* ******* of ***** ********** ** their **** ****** **%+ net ****** *******.

*******, *** *******'* ********* has ******* ~**% ***** the **** *** **** public, ** *** ***** below *****:

Outlook **********

****** ******* ***** *** understandably ********* ********* ** use *** ***** ** vulnerabilities *** ***** ****** facilities *** ********* ** risk.

**** *** ** *** biggest ********* ********* ******** from **** ***** *************** will ***** **** ** reconsider *** *** ** the ***** ** ***** access ******* *** ***** be ** ***** *** Suprema *** ***** ** come.

Comments (8)

Another media misrepresentation, this time from prominent VC partner Ben Evans newsletter:

Of course, not 'all of the data' was there, just logs for those using this cloud connect feature. It is questionable how many, if any, UK government agencies including James Bond's MI6 is using this cloud feature.

On the other hand, this is not to discount the severity of the incident and responsibility Suprema has here, just that many of these claims are sloppy and exaggerated.

Agree
Disagree
Informative: 1
Unhelpful
Funny

We followed up with one of the researchers who said that this was fingerprint templates, not photos of fingerprints, stored in the logs (1+ million 'fingerprint records').

Though many of the details of this incident appear to be somewhat vague, this represents why I am not a fan of biometric data like iris scans or fingerprints being used as passwords or access credentials of any sort.

Until we know for sure that ALL companies are storing this data using very strong 1-way encryption I don't feel comfortable giving them information that once surrendered I cannot change or recall.

Passwords and PINs can be reset. TFA devices can be disabled or replaced. Iris and fingerprint data is basically permanent though, and as a society we have clearly shown that we're not ready to properly store and manage this kind of data.

You can make the same argument for face-rec, however your face is large enough to be captured by any common camera these days, so that ship has sailed.

Agree: 1
Disagree: 1
Informative: 2
Unhelpful
Funny

A bit off topic but the thing about fingerprints is that they are essentially very long un-encrypted, non-rolling passwords that users leave in dozens of insecure places (coffee cups, cars, restaurants) every day. Essentially we should be talking about the security of the "proof of life" technology claims because an open, unencrypted password is ...... useless.

Back on topic, I am looking forward to the day that companies are given penalties sufficient to make security a good business decision ... this "Sorry, we will do better ... here is a month of free credit monitoring" will not deter companies.

In fairness to IT, I maintain they are a couple of generations ahead of physical security technology ... mostly because they face an unrelenting hammer of persons all over the world anonymously attacking them.

Have a great Day :)

rbl

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny

UPDATE:

The vpnMentor post conflates a Suprema / NEDAP integration with the implication that the UK Metropolitan police is impacted (because the UK Metro Police use NEDAP). This is highly misleading. NEDAP AEOS is not connected to Suprema's cloud and NEDAP actually issued their own announcement to clarify / correct this.

My best guess is that vpnMentor does not understand how such integrations work and leapt to conclusions (since I don't think they lied and it is easy for those not familiar with a specific space to draw a false conclusion). It certainly made their post more exciting but also less accurate and unfairly worse to Suprema.

Agree: 2
Disagree
Informative: 3
Unhelpful
Funny

Does HID's approach to using SEOS with fingerprint-template on-the-card eliminate this risk? My understanding of the HID SEOS approach to biometrics is that the fingerprint is encrypted and stored in the card. The scanner matches the user's fingerprint to the stored print on the card rather than sending information back and forth to a database.

We do not currently use this technology, but I have been looking into it for areas needing an additional layer of security.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

Suprema has posted an announcement on their home page, copied below:

There is nothing new versus what we have reported. If or when Suprema shares more details or plans about preventing further issues in the future, we will update.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Great post IPVM - I love it how you guys jump on these topical things, analyse them so quickly!! Keep up the good work :)

On a separate note, when these sort of things happen, what do companies who install these products do for their customers?

Do you proactively reach out to all clients using the affected technology or just react to the Clients who query it?

Would be good to get an idea around best practice as we are conscious not to scaremonger but also want to be on the "front-foot" and show that we care and are aware of the situation.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Thank you for unwinding the media stream. I believe the term of art is a "data spill". "Bio Mass Leak" sounds like the great molasses flood of 1919 Great Molasses Flood - Wikipedia.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,203 reports and 959 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports