Suprema Biometric Mass Leak Examined

By: John Honovich and Brian Rhodes, Published on Aug 19, 2019

While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past week from Tom's Hardware to Business Insider and even the BBC.

free image3 2

But what happened? Inside this report, we:

  • Explain what was leaked and how it was leaked
  • Contrast which Suprema users are impacted and which are not
  • Examine a key false claim Suprema made about their cloud service
  • Explore the two fundamental issues - exposed buckets and logging - that led to this leak
  • Clarify claims made in media reports about the leak
  • Examine the risk to the fingerprint records 'stolen'
  • Consider the potential GDPR risks and fines involved
  • Review Suprema's size, revenue, market capitalization, and stock price drop

***** ******* ** ****** discussed **** ****** *** physical ******** ******, *** South ****** ********** ************ made ****** **** **** past ******** ***'* ********** ******** ************** *** ***.

free image3 2

*** **** ********? ****** this ******, **:

  • ******* **** *** ****** and *** ** *** leaked
  • ******** ***** ******* ***** are ******** *** ***** are ***
  • ******* * *** ***** claim ******* **** ***** their ***** *******
  • ******* *** *** *********** issues - ******* ******* and ******* - **** led ** **** ****
  • ******* ****** **** ** media ******* ***** *** leak
  • ******* *** **** ** the *********** ******* '******'
  • ******** *** ********* **** risks *** ***** ********
  • ****** *******'* ****, *******, market **************, *** ***** price ****

[***************]

Researcher ****** - *********

***** ***** *** ****** of ***** ******* *********** running *** **** *****, the ********** *** ******** source ** *************: ******: **** ****** in ********* ******** ******** Affecting ******** ** *****. *** ****** ********** **-****** ***** ***************** *** ******:

Executive *******

******* ***** ******** *** company's ******** ***** ******* are ******** ** ******* had ** ******* ***** data ***** (*** '*******') storing **** ** **** actions ** ***** **** including **** ******** ***********, passwords, *** *********** *********.

**** *** *** **** secured / ***** ********* to **** *** *********** and *** *******.

** ** *** ***** if ****** **** *** accessed ***** ******* ****** they ********* ***** ** as **** **** ******** accessible *** ****** ******** the *** ******* *** such ********, ** ***** researchers ****.

Impacted ***** *** ***

**** ******* ***** *** likely *** ******** ** this ** *** ***** service ** ******** ** default ** ******** ***, in *** **********, ***** a **** ****** ************* to ***. ******* **** noted ******* *, ********** Middleware *********** *** ****** SDK ******* *** ***** integrations *** *** ********.

False ***** **** *******

******* ******* *******,** ***** **** ***** FAQ, **** **** *** not ***** ********'* ****:

**** **** ** ****** in **** ***** ****** and *** ***** ******************* *** ** ****** your ***** ****** **** an ******** *******. [******** added]

***** ** * ********* of *******'* ***** ***********:

Exposed ******* *** ****

*** *******, ** **** leak *****, ** **** Suprema*** ************* ****. ***** **** may *** **** ****** permanently '******' ** ***** 'server', **** **** ******* activities ** ***** ***** service. ***** *** ******* uses *** *******, *.*., in *************** *** ******* or ***** ** *** service, ** ******* ****** is ******.

*** *** ******** **** that *******:

  • ******* *** **** ****** without **********, **** **** if ******, **** *** researchers, ******* *** *** right ** ******* / port / ***, **** could ****** *******'* ***** logs.
  • ****** **** ** ***** text ** ****** **** passwords ***** ** **** directly (*.*., ******** ** abc1234, ***.).

**** *** ************* **** bad. ***** ** ** justification *** ***** ** and *** ***** ** this *** **** *****. Earlier **** ****, ** industry ******* ** * leaked ****** ***** ******** ******* *** provider ****, ****** **** ******** leaked *** ***** ********, not **** *** ****. And ** ****** *****, both****** *** ******* ********* they ****** ********* ** plain ****.

**** ***** *** ******* case ** *********** ** that **** *** **** - ******* ******* **** plain **** **** ** sensitive ***********.

** *** *********************** ** ***** *****, ****** ******* *** URL, **** **** **** to **** *** **** online, ** *** ********* below *****:

**** ** ********* **** of ***** *********, **** were **** ** *** extensive ******* ***** *******'* customers, *.*., ***** *** 'powerworldgym' * ****** ** a *********** ****:

********, **** **** **** to **** *** ******** and ********* ** ***** logging **, ** *** excerpt (********) ***** *****:

Clarify ***** ** *********** ****** ** *****

**** ** *** ***** claims **** **** *******, e.g.:

  • "**.* ******* *******" **** involved *** ***** *** log *******, *** ****** people, *** ***** *** likely **** *** ******* per ****** ****. **** is *** ** ********** the ******* *** *** top **** **.* ****** can ** ************.
  • *** '** ************ ******' impact ** *******, ** best. ***** **** *****, such ******* ******** ******* *** ** Metropolitan ******, *** *********** did *** *** ****. They ************ ** ************ ****** as * ******** ** Suprema*** ** *** **** of ******** ********* ********, they *** *** ******* the ** ************ ******.
  • ******: *** ********* **** conflates * ******* / NEDAP *********** **** *** implication **** *** ** Metropolitan ****** ** ******** (because *** ** ***** Police *** *****). **** is ****** **********. ***** AEOS ** *** ********* to *******'* ***** *** NEDAP ************** ***** *** ************ to ******* / ***********.
  • *********'* ***** **** "*** platform *** **** *.* million ********* *************, *** all ** ***** ***** be ********** ** **** leak" ** ******* **** overstated. ******* **** ***** that ****** ** ************* but, ** ********, **** do *** *** *** optional ***** *******.
  • **************'* **** ************** ** "****** ******’* actual ************", **** *** to ** ** ******* metaphor, ** ****. ** followed ** **** *** of *** *********** *** said **** **** *** fingerprint *********, *** ****** of ************, ****** ** the **** (*+ ******* 'fingerprint *******').
  • '*********': ****, ********* ****** "hackers *** ****** *** fingerprints ** ******** ******** to ***** *** *** hijack * **** *******", however, ********* **** ********* accessing *** **** *** the ****** ******* ***** the *********** ******* *** stored, ** **** ***** be **** ** ****** the *********** ******* ** the **** *** **** would *** ****** ** account ***** ***** *** matched ******* *** ****** servers ** * ****'* site.

'Stolen' *********** ******* ******* ****** ***

********* ********* ** ******* that ******* *** ******* fingerprint ********* ** ***** logs, **** **** ****** some ****, ****** ** is ******* *** ***********. vpnMentor **** **** *** fingerprint ******* **** *** hashed, ***** ** ******* a ******* (**** *** passwords **** ********). *******, we *** *** **** how **** / ****** those *********** ********* ***** be ** ******** / spoofing ********** ************.

** *******, ************'* ****** sensors *** ******** ****** that ********* ********* **** one ****** ** **** in *******. ****, *********** templates ** *** ****** contain ****** ******* ** 'reverse ********' * *********** applicable '*****' ***********.

*********** ******* **** ********** prints ** * ***** number ** ********* ('******') and **** ***** *** characteristics ** ***** ********** sampled ****** ** ********* to ******* ********** ****** scans. '*********** *******' ** identity ************* *** **** when ********** **** **** points ***** ** **** templates, *** *** ********* do *** ******* '***** print' *******.

*******'* ******** ********** ******************* *** ************** ** template **** ******** ** full ***** ******:

*** ***********, ***** ******* and ***** ********* ************* use, ** ****** '********** ********' ********, ***** **** ****** points ******** *** ******* certainty ** * *****, but ******* **** **** to *******. *** ****** of ****** ** ***** reduced ** ******** **** speed, *** ** *** risk ** ********** ***** acceptance ** ***** ****** rates.

** *** '*************' ******* above, **** *** *********** template '**************' ******* ** '40', ***** ** **** lower ***********'* ************** ** ** as * *******, '******* **** *********** quality *** ****** ******** performance'.

** *********** *** ************** of *********** **** ** templates, ******** **** '*** quality' ******** **** ***** be ****, *** **** of *********** ****-****** ****** to ***** **** ****** identities ** ****** * low ****.

***** ********* ****** "**** fingerprint ***’* ** *******" and **** ** **** abstractly, *** ******* ** recording ************ *** ******** does **** *** ** likely ** ** **** useful **** **** *****.

GDPR ********

***** ** ********** **** concerns **** ** ******* EU ************* *** ******* (e.g.,******* ******** ** #* ** EMEA). ************ ** ****, usernames, ** **** ** biometric ****, *** ****** and ******. ********** ** an **** ** ******* concern ** *** **** and ** ** ******* if ******* **** ********* or ******** ********** ** store **** ****, ** Suprema's ****** *****, ** we ****** *****, *** that **** *** *** store ******** ** *** cloud.

** *** ***** ****, one ******** ******* ***** argue *** **** ***** this *** ***** ** white *** *******, **** the ****** ****** *** be ***, ****** **** depends ** *** ********* to ****** ********** ** black *** ******* *** their ***** *** ******* downloaded *** ** *******'* records.

Financials ********

**** *** *** ******* size ********* ** *** access ******* ******, ******* is *** * ***** company, ********** ~$** ******* 2018 ******* **** ****** growth **** *** **** few *****:

*** **** ******* ******* of ***** ********** ** their **** ****** **%+ net ****** *******.

*******, *** *******'* ********* has ******* ~**% ***** the **** *** **** public, ** *** ***** below *****:

Outlook **********

****** ******* ***** *** understandably ********* ********* ** use *** ***** ** vulnerabilities *** ***** ****** facilities *** ********* ** risk.

**** *** ** *** biggest ********* ********* ******** from **** ***** *************** will ***** **** ** reconsider *** *** ** the ***** ** ***** access ******* *** ***** be ** ***** *** Suprema *** ***** ** come.

Comments (8)

John Honovich

IPVM | 08/19/19 02:11pm

******* ***** *****************, **** time **** ********* ** partner*** ***************:

** ******, *** '*** of *** ****' *** there, **** **** *** those ***** **** ***** connect *******. ** ** questionable *** ****, ** any, ** ********** ******** including ***** ****'* *** is ***** **** ***** feature.

** *** ***** ****, this ** *** ** discount *** ******** ** the ******** *** ************** Suprema *** ****, **** that **** ** ***** claims *** ****** *** exaggerated.

Undisclosed #1

08/19/19 03:57pm

** ******** ** **** one ** *** *********** who **** **** **** was *********** *********, *** photos ** ************, ****** in *** **** (*+ million '*********** *******').

****** **** ** *** details ** **** ******** appear ** ** ******** vague, **** ********** *** I ** *** * fan ** ********* **** like **** ***** ** fingerprints ***** **** ** passwords ** ****** *********** of *** ****.

***** ** **** *** sure **** *** ********* are ******* **** **** using **** ****** *-*** encryption * ***'* **** comfortable ****** **** *********** that **** *********** * cannot ****** ** ******.

********* *** **** *** be *****. *** ******* can ** ******** ** replaced. **** *** *********** data ** ********* ********* though, *** ** * society ** **** ******* shown **** **'** *** ready ** ******** ***** and ****** **** **** of ****.

*** *** **** *** same ******** *** ****-***, however **** **** ** large ****** ** ** captured ** *** ****** camera ***** ****, ** that **** *** ******.

Randy Lines

08/19/19 04:47pm

* *** *** ***** but *** ***** ***** fingerprints ** **** **** are *********** **** **** un-encrypted, ***-******* ********* **** users ***** ** ****** of ******** ****** (****** cups, ****, ***********) ***** day. *********** ** ****** be ******* ***** *** security ** *** "***** of ****" ********** ****** because ** ****, *********** password ** ...... *******.

**** ** *****, * am ******* ******* ** the *** **** ********* are ***** ********* ********** to **** ******** * good ******** ******** ... this "*****, ** **** do ****** ... **** is * ***** ** free ****** **********" **** not ***** *********.

** ******** ** **, I ******** **** *** a ****** ** *********** ahead ** ******** ******** technology ... ****** ******* they **** ** *********** hammer ** ******* *** over *** ***** *********** attacking ****.

**** * ***** *** :)

***

John Honovich

IPVM | 08/19/19 05:29pm

******:

*** ********* **** ********* a ******* / ***** integration **** *** *********** that *** ** ************ police ** ******** (******* the ** ***** ****** use *****). **** ** highly **********. ***** **** is *** ********* ** Suprema's ***** *** ***** actually****** ***** *** ************ to ******* / ***********.

** **** ***** ** that ********* **** *** understand *** **** ************ work *** ***** ** conclusions (***** * ***'* think **** **** *** it ** **** *** those *** ******** **** a ******** ***** ** draw * ***** **********). It ********* **** ***** post **** ******** *** also **** ******** *** unfairly ***** ** *******.

Avatar

Scott Fischer

Lorica Consulting LLC | IPVMU Certified | 08/20/19 12:44pm

**** ***'* ******** ** using **** **** ***********-******** on-the-card ********* **** ****? My ************* ** *** HID **** ******** ** biometrics ** **** *** fingerprint ** ********* *** stored ** *** ****. The ******* ******* *** user's *********** ** *** stored ***** ** *** card ****** **** ******* information **** *** ***** to * ********.

** ** *** ********* use **** **********, *** I **** **** ******* into ** *** ***** needing ** ********** ***** of ********.

John Honovich

IPVM | 08/20/19 12:53pm

******* *** ****** ** announcement ** ***** **** page, ****** *****:

***** ** ******* *** versus **** ** **** reported. ** ** **** Suprema ****** **** ******* or ***** ***** ********** further ****** ** *** future, ** **** ******.

Jason Choy

08/22/19 07:14am

***** **** **** - I **** ** *** you **** **** ** these ******* ******, ******* them ** *******!! **** up *** **** **** :)

** * ******** ****, when ***** **** ** things ******, **** ** companies *** ******* ***** products ** *** ***** customers?

** *** *********** ***** out ** *** ******* using *** ******** ********** or **** ***** ** the ******* *** ***** it?

***** ** **** ** get ** **** ****** best ******** ** ** are ********* *** ** scaremonger *** **** **** to ** ** *** "front-foot" *** **** **** we **** *** *** aware ** *** *********.

Rodney Thayer

Smithee Solutions LLC | 08/23/19 03:29pm

***** *** *** ********* the ***** ******. * believe *** **** ** art ** * "**** spill". "*** **** ****" sounds **** *** ***** molasses ***** ** ********* ******** ***** - Wikipedia.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Hikvision Global News Reports Directory on Nov 11, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
The Access Control Codes Guide: IBC, NFPA 72, 80 & 101 on Nov 07, 2019
For access, there is one basic maxim: Life safety above all else. But how do you know if all applicable codes are being followed? While the...
90+ Companies Profile Directory on Nov 05, 2019
While IPVM covers the largest companies in the industry regularly (like Axis, Dahua, Hikvision, etc.), IPVM strives to do a profile post on each...
Tailgating: Access Control Tutorial on Oct 31, 2019
Nearly all access control systems are vulnerable to an easy exploit called 'tailgating'. Indeed, a friendly gesture in holding doors for others...
France Declares School Facial Recognition Illegal Due to GDPR on Oct 31, 2019
France is the latest European country to effectively prohibit facial recognition as a school access control solution, even with the consent of...
Milestone XProtect 2019 R3 Tested on Oct 30, 2019
Milestone has had problems over the last few years releasing significant new software. Now, in XProtect 2019 R3, Milestone is touting "one search...
Dahua Co-Founder Says Human Rights Sanctions Shows Strong Dahua Technology on Oct 29, 2019
Despite Dahua doing nearly a billion dollars of projects in Xinjiang, including building and operating police stations, Dahua not only denies 'any...
Lock Status Monitoring Tutorial on Oct 28, 2019
Just because access doors are closed does not mean they are locked. Unless access systems are using lock status monitoring, the doors and areas...
Security Canada Central Show Report 2019 on Oct 24, 2019
IPVM attended Security Canada Central in Toronto to see what is new in the Canadian market. Inside, we share videos and dozens of images...
Covert Elevator Face Recognition on Oct 24, 2019
Covert elevator facial recognition has the potential to solve the cost and complexity of elevator surveillance while engendering immense privacy...

Most Recent Industry Reports

ADT Stock Surges - "Leading The Commercial Space" on Nov 15, 2019
Don't call it comeback... but maybe call it a commercial provider. ADT, whose stock dropped by as much as 2/3rds since IPOing in 2018, has now...
Gatekeeper Security Company Profile - Detecting Faces Inside Vehicles on Nov 14, 2019
Border security is a common discussion in mainstream US news and politics, as is the use of banned Chinese equipment by US Government agencies....
Hikvision CEO And Vice-Chair Under PRC Government Investigation on Nov 14, 2019
In a surprising and globally covered move, Hikvision CEO Hu Yangzhong and Vice-Chairman Gong Hongjia are being investigated by China's securities...
Camera Field of View (FoV) Guide on Nov 13, 2019
Field of View (FoV) and Angle of View (AoV), are deceptively complex. At their most basic, they simply describe what the camera can "see" and seem...
UK Big Brother Watch: Hikvision Is 'Morally Bankrupt' on Nov 13, 2019
UK civil liberties advocate Big Brother Watch has condemned Hikvision as being 'morally bankrupt' following IPVM exposing Hikvision marketing...
Color Low Light Mega Camera Shootout - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Panasonic, Speco, Sony, Vivotek on Nov 12, 2019
This is the biggest color low light shootout ever, testing 20+ super low light models from 10 manufacturers: Increasingly, each manufacturer...
Wireless / WiFi Access Lock Guide on Nov 12, 2019
For some access openings, running wires can add thousands in cost, and wireless alternatives that avoid it becomes appealing. But using wireless...
Hikvision Global News Reports Directory on Nov 11, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Hikvision Markets Uyghur Ethnicity Analytics, Now Covers Up on Nov 11, 2019
Hikvision has marketed an AI camera that automatically identifies Uyghurs, on its China website, only covering it up days ago after IPVM questioned...
Open vs End-to-End Systems: Integrator Statistics 2019 on Nov 11, 2019
Preference for open systems is on the decline, according to new IPVM statistics. We asked integrators: For video surveillance systems, do you...

What IPVM Is

The world's leading authority on video surveillance, with 200,000+ visits monthly.

  • Articles on cameras, video analytics, VMS, and trends
  • Tests showing actual performance and problems
  • Courses in surveillance, access control, etc
  • Camera Calculator for designing systems

Dedicated To Independence

We're dedicated to staying independent and objective. We're the only industry source to refuse any and all advertisements, sponsorship, and consulting from manufacturers. Why?