Suprema Biometric Mass Leak Examined

Researcher ****** - *********

***** ***** *** ****** of ***** ******* *********** running *** **** *****, the ********** *** ******** source ** *************: ******: **** ****** in ********* ******** ******** Affecting ******** ** *****. *** ****** ********** **-****** ***** ***************** *** ******:

Executive *******

******* ***** ******** *** company's ******** ***** ******* are ******** ** ******* had ** ******* ***** data ***** (*** '*******') storing **** ** **** actions ** ***** **** including **** ******** ***********, passwords, *** *********** *********.

**** *** *** **** secured / ***** ********* to **** *** *********** and *** *******.

** ** *** ***** if ****** **** *** accessed ***** ******* ****** they ********* ***** ** as **** **** ******** accessible *** ****** ******** the *** ******* *** such ********, ** ***** researchers ****.

Impacted ***** *** ***

**** ******* ***** *** likely *** ******** ** this ** *** ***** service ** ******** ** default ** ******** ***, in *** **********, ***** a **** ****** ************* to ***. ******* **** noted ******* *, ********** Middleware *********** *** ****** SDK ******* *** ***** integrations *** *** ********.

False ***** **** *******

******* ******* *******,** ***** **** ***** FAQ, **** **** *** not ***** ********'* ****:

**** **** ** ****** in **** ***** ****** and *** ***** ******************* *** ** ****** your ***** ****** **** an ******** *******. [******** added]

***** ** * ********* of *******'* ***** ***********:

Exposed ******* *** ****

*** *******, ** **** leak *****, ** **** Suprema*** ************* ****. ***** **** may *** **** ****** permanently '******' ** ***** 'server', **** **** ******* activities ** ***** ***** service. ***** *** ******* uses *** *******, *.*., in *************** *** ******* or ***** ** *** service, ** ******* ****** is ******.

*** *** ******** **** that *******:

• ******* *** **** ****** without **********, **** **** if ******, **** *** researchers, ******* *** *** right ** ******* / port / ***, **** could ****** *******'* ***** logs.
• ****** **** ** ***** text ** ****** **** passwords ***** ** **** directly (*.*., ******** ** abc1234, ***.).

**** *** ************* **** bad. ***** ** ** justification *** ***** ** and *** ***** ** this *** **** *****. Earlier **** ****, ** industry ******* ** * leaked ****** ***** ******** ******* *** provider ****, ****** **** ******** leaked *** ***** ********, not **** *** ****. And ** ****** *****, both****** *** ******* ********* they ****** ********* ** plain ****.

**** ***** *** ******* case ** *********** ** that **** *** **** - ******* ******* **** plain **** **** ** sensitive ***********.

** *** *********************** ** ***** *****, ****** ******* *** URL, **** **** **** to **** *** **** online, ** *** ********* below *****:

**** ** ********* **** of ***** *********, **** were **** ** *** extensive ******* ***** *******'* customers, *.*., ***** *** 'powerworldgym' * ****** ** a *********** ****:

********, **** **** **** to **** *** ******** and ********* ** ***** logging **, ** *** excerpt (********) ***** *****:

Clarify ***** ** *********** ****** ** *****

**** ** *** ***** claims **** **** *******, e.g.:

• "**.* ******* *******" **** involved *** ***** *** log *******, *** ****** people, *** ***** *** likely **** *** ******* per ****** ****. **** is *** ** ********** the ******* *** *** top **** **.* ****** can ** ************.
• *** '** ************ ******' impact ** *******, ** best. ***** **** *****, such ******* ******** ******* *** ** Metropolitan ******, *** *********** did *** *** ****. They ************ ** ************ ****** as * ******** ** Suprema*** ** *** **** of ******** ********* ********, they *** *** ******* the ** ************ ******.
• ******: *** ********* **** conflates * ******* / NEDAP *********** **** *** implication **** *** ** Metropolitan ****** ** ******** (because *** ** ***** Police *** *****). **** is ****** **********. ***** AEOS ** *** ********* to *******'* ***** *** NEDAP ************** ***** *** ************ to ******* / ***********.
• *********'* ***** **** "*** platform *** **** *.* million ********* *************, *** all ** ***** ***** be ********** ** **** leak" ** ******* **** overstated. ******* **** ***** that ****** ** ************* but, ** ********, **** do *** *** *** optional ***** *******.
• **************'* **** ************** ** "****** ******’* actual ************", **** *** to ** ** ******* metaphor, ** ****. ** followed ** **** *** of *** *********** *** said **** **** *** fingerprint *********, *** ****** of ************, ****** ** the **** (*+ ******* 'fingerprint *******').
• '*********': ****, ********* ****** "hackers *** ****** *** fingerprints ** ******** ******** to ***** *** *** hijack * **** *******", however, ********* **** ********* accessing *** **** *** the ****** ******* ***** the *********** ******* *** stored, ** **** ***** be **** ** ****** the *********** ******* ** the **** *** **** would *** ****** ** account ***** ***** *** matched ******* *** ****** servers ** * ****'* site.

'Stolen' *********** ******* ******* ****** ***

********* ********* ** ******* that ******* *** ******* fingerprint ********* ** ***** logs, **** **** ****** some ****, ****** ** is ******* *** ***********. vpnMentor **** **** *** fingerprint ******* **** *** hashed, ***** ** ******* a ******* (**** *** passwords **** ********). *******, we *** *** **** how **** / ****** those *********** ********* ***** be ** ******** / spoofing ********** ************.

** *******, ************'* ****** sensors *** ******** ****** that ********* ********* **** one ****** ** **** in *******. ****, *********** templates ** *** ****** contain ****** ******* ** 'reverse ********' * *********** applicable '*****' ***********.

*********** ******* **** ********** prints ** * ***** number ** ********* ('******') and **** ***** *** characteristics ** ***** ********** sampled ****** ** ********* to ******* ********** ****** scans. '*********** *******' ** identity ************* *** **** when ********** **** **** points ***** ** **** templates, *** *** ********* do *** ******* '***** print' *******.

*******'* ******** ********** ******************* *** ************** ** template **** ******** ** full ***** ******:

*** ***********, ***** ******* and ***** ********* ************* use, ** ****** '********** ********' ********, ***** **** ****** points ******** *** ******* certainty ** * *****, but ******* **** **** to *******. *** ****** of ****** ** ***** reduced ** ******** **** speed, *** ** *** risk ** ********** ***** acceptance ** ***** ****** rates.

** *** '*************' ******* above, **** *** *********** template '**************' ******* ** '40', ***** ** **** lower ***********'* ************** ** ** as * *******, '******* **** *********** quality *** ****** ******** performance'.

** *********** *** ************** of *********** **** ** templates, ******** **** '*** quality' ******** **** ***** be ****, *** **** of *********** ****-****** ****** to ***** **** ****** identities ** ****** * low ****.

***** ********* ****** "**** fingerprint ***’* ** *******" and **** ** **** abstractly, *** ******* ** recording ************ *** ******** does **** *** ** likely ** ** **** useful **** **** *****.

GDPR ********

***** ** ********** **** concerns **** ** ******* EU ************* *** ******* (e.g.,******* ******** ** #* ** EMEA). ************ ** ****, usernames, ** **** ** biometric ****, *** ****** and ******. ********** ** an **** ** ******* concern ** *** **** and ** ** ******* if ******* **** ********* or ******** ********** ** store **** ****, ** Suprema's ****** *****, ** we ****** *****, *** that **** *** *** store ******** ** *** cloud.

** *** ***** ****, one ******** ******* ***** argue *** **** ***** this *** ***** ** white *** *******, **** the ****** ****** *** be ***, ****** **** depends ** *** ********* to ****** ********** ** black *** ******* *** their ***** *** ******* downloaded *** ** *******'* records.

Financials ********

**** *** *** ******* size ********* ** *** access ******* ******, ******* is *** * ***** company, ********** ~$** ******* 2018 ******* **** ****** growth **** *** **** few *****:

*** **** ******* ******* of ***** ********** ** their **** ****** **%+ net ****** *******.

*******, *** *******'* ********* has ******* ~**% ***** the **** *** **** public, ** *** ***** below *****:

Outlook **********

****** ******* ***** *** understandably ********* ********* ** use *** ***** ** vulnerabilities *** ***** ****** facilities *** ********* ** risk.

**** *** ** *** biggest ********* ********* ******** from **** ***** *************** will ***** **** ** reconsider *** *** ** the ***** ** ***** access ******* *** ***** be ** ***** *** Suprema *** ***** ** come.