Suprema Biometric Mass Leak Examined

By: John Honovich and Brian Rhodes, Published on Aug 19, 2019

While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past week from Tom's Hardware to Business Insider and even the BBC.

free image3 2

But what happened? Inside this report, we:

  • Explain what was leaked and how it was leaked
  • Contrast which Suprema users are impacted and which are not
  • Examine a key false claim Suprema made about their cloud service
  • Explore the two fundamental issues - exposed buckets and logging - that led to this leak
  • Clarify claims made in media reports about the leak
  • Examine the risk to the fingerprint records 'stolen'
  • Consider the potential GDPR risks and fines involved
  • Review Suprema's size, revenue, market capitalization, and stock price drop

***** ******* ** ****** discussed **** ****** *** physical ******** ******, *** South ****** ********** ************ made ****** **** **** past ******** ***'* ********** ******** ************** *** ***.

free image3 2

*** **** ********? ****** this ******, **:

  • ******* **** *** ****** and *** ** *** leaked
  • ******** ***** ******* ***** are ******** *** ***** are ***
  • ******* * *** ***** claim ******* **** ***** their ***** *******
  • ******* *** *** *********** issues - ******* ******* and ******* - **** led ** **** ****
  • ******* ****** **** ** media ******* ***** *** leak
  • ******* *** **** ** the *********** ******* '******'
  • ******** *** ********* **** risks *** ***** ********
  • ****** *******'* ****, *******, market **************, *** ***** price ****

[***************]

Researcher ****** - *********

***** ***** *** ****** of ***** ******* *********** running *** **** *****, the ********** *** ******** source ** *************: ******: **** ****** in ********* ******** ******** Affecting ******** ** *****. *** ****** ********** **-****** ***** ***************** *** ******:

Executive *******

******* ***** ******** *** company's ******** ***** ******* are ******** ** ******* had ** ******* ***** data ***** (*** '*******') storing **** ** **** actions ** ***** **** including **** ******** ***********, passwords, *** *********** *********.

**** *** *** **** secured / ***** ********* to **** *** *********** and *** *******.

** ** *** ***** if ****** **** *** accessed ***** ******* ****** they ********* ***** ** as **** **** ******** accessible *** ****** ******** the *** ******* *** such ********, ** ***** researchers ****.

Impacted ***** *** ***

**** ******* ***** *** likely *** ******** ** this ** *** ***** service ** ******** ** default ** ******** ***, in *** **********, ***** a **** ****** ************* to ***. ******* **** noted ******* *, ********** Middleware *********** *** ****** SDK ******* *** ***** integrations *** *** ********.

False ***** **** *******

******* ******* *******,** ***** **** ***** FAQ, **** **** *** not ***** ********'* ****:

**** **** ** ****** in **** ***** ****** and *** ***** ******************* *** ** ****** your ***** ****** **** an ******** *******. [******** added]

***** ** * ********* of *******'* ***** ***********:

Exposed ******* *** ****

*** *******, ** **** leak *****, ** **** Suprema*** ************* ****. ***** **** may *** **** ****** permanently '******' ** ***** 'server', **** **** ******* activities ** ***** ***** service. ***** *** ******* uses *** *******, *.*., in *************** *** ******* or ***** ** *** service, ** ******* ****** is ******.

*** *** ******** **** that *******:

  • ******* *** **** ****** without **********, **** **** if ******, **** *** researchers, ******* *** *** right ** ******* / port / ***, **** could ****** *******'* ***** logs.
  • ****** **** ** ***** text ** ****** **** passwords ***** ** **** directly (*.*., ******** ** abc1234, ***.).

**** *** ************* **** bad. ***** ** ** justification *** ***** ** and *** ***** ** this *** **** *****. Earlier **** ****, ** industry ******* ** * leaked ****** ***** ******** ******* *** provider ****, ****** **** ******** leaked *** ***** ********, not **** *** ****. And ** ****** *****, both****** *** ******* ********* they ****** ********* ** plain ****.

**** ***** *** ******* case ** *********** ** that **** *** **** - ******* ******* **** plain **** **** ** sensitive ***********.

** *** *********************** ** ***** *****, ****** ******* *** URL, **** **** **** to **** *** **** online, ** *** ********* below *****:

**** ** ********* **** of ***** *********, **** were **** ** *** extensive ******* ***** *******'* customers, *.*., ***** *** 'powerworldgym' * ****** ** a *********** ****:

********, **** **** **** to **** *** ******** and ********* ** ***** logging **, ** *** excerpt (********) ***** *****:

Clarify ***** ** *********** ****** ** *****

**** ** *** ***** claims **** **** *******, e.g.:

  • "**.* ******* *******" **** involved *** ***** *** log *******, *** ****** people, *** ***** *** likely **** *** ******* per ****** ****. **** is *** ** ********** the ******* *** *** top **** **.* ****** can ** ************.
  • *** '** ************ ******' impact ** *******, ** best. ***** **** *****, such ******* ******** ******* *** ** Metropolitan ******, *** *********** did *** *** ****. They ************ ** ************ ****** as * ******** ** Suprema*** ** *** **** of ******** ********* ********, they *** *** ******* the ** ************ ******.
  • ******: *** ********* **** conflates * ******* / NEDAP *********** **** *** implication **** *** ** Metropolitan ****** ** ******** (because *** ** ***** Police *** *****). **** is ****** **********. ***** AEOS ** *** ********* to *******'* ***** *** NEDAP ************** ***** *** ************ to ******* / ***********.
  • *********'* ***** **** "*** platform *** **** *.* million ********* *************, *** all ** ***** ***** be ********** ** **** leak" ** ******* **** overstated. ******* **** ***** that ****** ** ************* but, ** ********, **** do *** *** *** optional ***** *******.
  • **************'* **** ************** ** "****** ******’* actual ************", **** *** to ** ** ******* metaphor, ** ****. ** followed ** **** *** of *** *********** *** said **** **** *** fingerprint *********, *** ****** of ************, ****** ** the **** (*+ ******* 'fingerprint *******').
  • '*********': ****, ********* ****** "hackers *** ****** *** fingerprints ** ******** ******** to ***** *** *** hijack * **** *******", however, ********* **** ********* accessing *** **** *** the ****** ******* ***** the *********** ******* *** stored, ** **** ***** be **** ** ****** the *********** ******* ** the **** *** **** would *** ****** ** account ***** ***** *** matched ******* *** ****** servers ** * ****'* site.

'Stolen' *********** ******* ******* ****** ***

********* ********* ** ******* that ******* *** ******* fingerprint ********* ** ***** logs, **** **** ****** some ****, ****** ** is ******* *** ***********. vpnMentor **** **** *** fingerprint ******* **** *** hashed, ***** ** ******* a ******* (**** *** passwords **** ********). *******, we *** *** **** how **** / ****** those *********** ********* ***** be ** ******** / spoofing ********** ************.

** *******, ************'* ****** sensors *** ******** ****** that ********* ********* **** one ****** ** **** in *******. ****, *********** templates ** *** ****** contain ****** ******* ** 'reverse ********' * *********** applicable '*****' ***********.

*********** ******* **** ********** prints ** * ***** number ** ********* ('******') and **** ***** *** characteristics ** ***** ********** sampled ****** ** ********* to ******* ********** ****** scans. '*********** *******' ** identity ************* *** **** when ********** **** **** points ***** ** **** templates, *** *** ********* do *** ******* '***** print' *******.

*******'* ******** ********** ******************* *** ************** ** template **** ******** ** full ***** ******:

*** ***********, ***** ******* and ***** ********* ************* use, ** ****** '********** ********' ********, ***** **** ****** points ******** *** ******* certainty ** * *****, but ******* **** **** to *******. *** ****** of ****** ** ***** reduced ** ******** **** speed, *** ** *** risk ** ********** ***** acceptance ** ***** ****** rates.

** *** '*************' ******* above, **** *** *********** template '**************' ******* ** '40', ***** ** **** lower ***********'* ************** ** ** as * *******, '******* **** *********** quality *** ****** ******** performance'.

** *********** *** ************** of *********** **** ** templates, ******** **** '*** quality' ******** **** ***** be ****, *** **** of *********** ****-****** ****** to ***** **** ****** identities ** ****** * low ****.

***** ********* ****** "**** fingerprint ***’* ** *******" and **** ** **** abstractly, *** ******* ** recording ************ *** ******** does **** *** ** likely ** ** **** useful **** **** *****.

GDPR ********

***** ** ********** **** concerns **** ** ******* EU ************* *** ******* (e.g.,******* ******** ** #* ** EMEA). ************ ** ****, usernames, ** **** ** biometric ****, *** ****** and ******. ********** ** an **** ** ******* concern ** *** **** and ** ** ******* if ******* **** ********* or ******** ********** ** store **** ****, ** Suprema's ****** *****, ** we ****** *****, *** that **** *** *** store ******** ** *** cloud.

** *** ***** ****, one ******** ******* ***** argue *** **** ***** this *** ***** ** white *** *******, **** the ****** ****** *** be ***, ****** **** depends ** *** ********* to ****** ********** ** black *** ******* *** their ***** *** ******* downloaded *** ** *******'* records.

Financials ********

**** *** *** ******* size ********* ** *** access ******* ******, ******* is *** * ***** company, ********** ~$** ******* 2018 ******* **** ****** growth **** *** **** few *****:

*** **** ******* ******* of ***** ********** ** their **** ****** **%+ net ****** *******.

*******, *** *******'* ********* has ******* ~**% ***** the **** *** **** public, ** *** ***** below *****:

Outlook **********

****** ******* ***** *** understandably ********* ********* ** use *** ***** ** vulnerabilities *** ***** ****** facilities *** ********* ** risk.

**** *** ** *** biggest ********* ********* ******** from **** ***** *************** will ***** **** ** reconsider *** *** ** the ***** ** ***** access ******* *** ***** be ** ***** *** Suprema *** ***** ** come.

Comments (8)

John Honovich

IPVM | 08/19/19 02:11pm

******* ***** *****************, **** time **** ********* ** partner*** ***************:

** ******, *** '*** of *** ****' *** there, **** **** *** those ***** **** ***** connect *******. ** ** questionable *** ****, ** any, ** ********** ******** including ***** ****'* *** is ***** **** ***** feature.

** *** ***** ****, this ** *** ** discount *** ******** ** the ******** *** ************** Suprema *** ****, **** that **** ** ***** claims *** ****** *** exaggerated.

Undisclosed #1

08/19/19 03:57pm

** ******** ** **** one ** *** *********** who **** **** **** was *********** *********, *** photos ** ************, ****** in *** **** (*+ million '*********** *******').

****** **** ** *** details ** **** ******** appear ** ** ******** vague, **** ********** *** I ** *** * fan ** ********* **** like **** ***** ** fingerprints ***** **** ** passwords ** ****** *********** of *** ****.

***** ** **** *** sure **** *** ********* are ******* **** **** using **** ****** *-*** encryption * ***'* **** comfortable ****** **** *********** that **** *********** * cannot ****** ** ******.

********* *** **** *** be *****. *** ******* can ** ******** ** replaced. **** *** *********** data ** ********* ********* though, *** ** * society ** **** ******* shown **** **'** *** ready ** ******** ***** and ****** **** **** of ****.

*** *** **** *** same ******** *** ****-***, however **** **** ** large ****** ** ** captured ** *** ****** camera ***** ****, ** that **** *** ******.

Randy Lines

08/19/19 04:47pm

* *** *** ***** but *** ***** ***** fingerprints ** **** **** are *********** **** **** un-encrypted, ***-******* ********* **** users ***** ** ****** of ******** ****** (****** cups, ****, ***********) ***** day. *********** ** ****** be ******* ***** *** security ** *** "***** of ****" ********** ****** because ** ****, *********** password ** ...... *******.

**** ** *****, * am ******* ******* ** the *** **** ********* are ***** ********* ********** to **** ******** * good ******** ******** ... this "*****, ** **** do ****** ... **** is * ***** ** free ****** **********" **** not ***** *********.

** ******** ** **, I ******** **** *** a ****** ** *********** ahead ** ******** ******** technology ... ****** ******* they **** ** *********** hammer ** ******* *** over *** ***** *********** attacking ****.

**** * ***** *** :)

***

John Honovich

IPVM | 08/19/19 05:29pm

******:

*** ********* **** ********* a ******* / ***** integration **** *** *********** that *** ** ************ police ** ******** (******* the ** ***** ****** use *****). **** ** highly **********. ***** **** is *** ********* ** Suprema's ***** *** ***** actually****** ***** *** ************ to ******* / ***********.

** **** ***** ** that ********* **** *** understand *** **** ************ work *** ***** ** conclusions (***** * ***'* think **** **** *** it ** **** *** those *** ******** **** a ******** ***** ** draw * ***** **********). It ********* **** ***** post **** ******** *** also **** ******** *** unfairly ***** ** *******.

Avatar

Scott Fischer

Lorica Consulting LLC | IPVMU Certified | 08/20/19 12:44pm

**** ***'* ******** ** using **** **** ***********-******** on-the-card ********* **** ****? My ************* ** *** HID **** ******** ** biometrics ** **** *** fingerprint ** ********* *** stored ** *** ****. The ******* ******* *** user's *********** ** *** stored ***** ** *** card ****** **** ******* information **** *** ***** to * ********.

** ** *** ********* use **** **********, *** I **** **** ******* into ** *** ***** needing ** ********** ***** of ********.

John Honovich

IPVM | 08/20/19 12:53pm

******* *** ****** ** announcement ** ***** **** page, ****** *****:

***** ** ******* *** versus **** ** **** reported. ** ** **** Suprema ****** **** ******* or ***** ***** ********** further ****** ** *** future, ** **** ******.

Jason Choy

08/22/19 07:14am

***** **** **** - I **** ** *** you **** **** ** these ******* ******, ******* them ** *******!! **** up *** **** **** :)

** * ******** ****, when ***** **** ** things ******, **** ** companies *** ******* ***** products ** *** ***** customers?

** *** *********** ***** out ** *** ******* using *** ******** ********** or **** ***** ** the ******* *** ***** it?

***** ** **** ** get ** **** ****** best ******** ** ** are ********* *** ** scaremonger *** **** **** to ** ** *** "front-foot" *** **** **** we **** *** *** aware ** *** *********.

Rodney Thayer

Smithee Solutions LLC | 08/23/19 03:29pm

***** *** *** ********* the ***** ******. * believe *** **** ** art ** * "**** spill". "*** **** ****" sounds **** *** ***** molasses ***** ** ********* ******** ***** - Wikipedia.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Fingerprints for Access Control Guide on Sep 09, 2019
Users can lose badges, but they never misplace a finger, right? The most common biometric used in access are fingerprints, and it has become one...
Mobotix First CNPP CCTV Cybersecurity Certification Examined on Sep 05, 2019
Mobotix recently became the first video surveillance manufacturer to receive the CNPP cybsersecurity certification for its cameras, in which they...
Assa Acquires LifeSafety Power on Sep 04, 2019
Assa Abloy is acquiring LifeSafety Power, adding to their growing collection of access control brands like Mercury, August, Pioneer Doors, and...
Mobile Access Control Guide on Aug 28, 2019
One of the biggest trends in access for the last few years has been the marriage of mobile phones and access cards. But how does this...
UK Facewatch GDPR Compliance Questioned on Aug 27, 2019
Even as the GDPR strictly regulates biometrics, a UK company called Facewatch is selling anti-shoplifter facial recognition systems to hundreds of...
First GDPR Facial Recognition Fine For Sweden School on Aug 22, 2019
A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is...
Anyvision Facial Recognition Tested on Aug 21, 2019
Anyvision is aiming for $1 billion in revenue by 2022, backed by $74 million in funding. But does their performance live up to the hype they have...
ZK Teco Atlas Access Control Tested on Aug 20, 2019
Who needs access specialists? China-based ZKTeco claims its newest access panel 'makes it very easy for anyone to learn and install access control...
Biometrics Usage Statistics 2019 on Aug 13, 2019
Biometrics are commonly used in phones, but how frequently are they used for access? 150+ integrators told us how often they use biometrics,...

Most Recent Industry Reports

How Cobalt Robotics May Disrupt Security on Sep 13, 2019
While security robots have largely become a joke over the last few years, one organization, Cobalt Robotics, has raised $50+ million from top US...
Panasonic 4K Camera Tested (WV-S2570L) on Sep 13, 2019
Panasonic has released their latest generation 4K dome, the WV-S2570L, claiming "Extreme image quality allows evidence to be captured even under...
ASIS GSX 2019 Show Report Final on Sep 12, 2019
IPVM went to Chicago for ASIS GSX 2019, with many exhibitors disappointed about traffic and the exhibitor schedule changing next year. Inside we...
Installation Course - Last Chance - Register Now on Sep 12, 2019
Last Chance - Register Now - September 2019 Video Surveillance Install Course. Thursday, September 12th is your last chance to register for the...
Commend ID5 Intercom Tested on Sep 12, 2019
Commend touts the new ID5 intercom as 'timelessly elegant' and the slim body, glass front touchscreen indeed looks better than common, but ugly,...
US State Department: "Chinese Tech Giants" "Tools of the Chinese Communist Party" on Sep 12, 2019
The US State Department has called out "Chinese tech giants" for being "tools of the Chinese Communist Party" in a blunt new speech that makes...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Yi Home Camera 3 AI Analytics Tested on Sep 10, 2019
Yi Technology is claiming "new AI features" in its $50 Home Camera 3 "eliminates 'false positives' caused by flying insects, small pets, or light...
Hanwha Announces 32MP Camera + AI Line on Sep 10, 2019
In the first rise in maximum megapixel resolution in 5 years, Hanwha has announced a 32MP / 8K camera directly competing with Avigilon's H4 30MP /...
Fingerprints for Access Control Guide on Sep 09, 2019
Users can lose badges, but they never misplace a finger, right? The most common biometric used in access are fingerprints, and it has become one...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact