Anyone with a BioStar 2 access system needs to change all administrative passwords immediately and re-enroll users, and preferably, add a physical key system for sensitive locations. It remains to...
Anyone with a BioStar 2 access system needs to change all administrative passwords immediately and re-enroll users, and preferably, add a physical key system for sensitive locations.
It remains to be seen how exploitable the leaked biometric data may be in the near term, but this is just a prime example of why biometrics shouldn't be used for authentication.
There's no reliable means of calling those measurements back once they're in the wild; no one is going to be able to easily reset their fingerprints and faces. Even resampling to store a different selection of identifying data points won't provide sufficient protection; smoothing and 3-D extrapolation could provide an adequate facial or fingerprint map to reconstruct any missing data.
VPNMentor's report suggests that system-wide user account information was stored in the same unencrypted, web-accessible ElasticSearch database as customer data - that's just unconscionable. Why the hell any of this data was stored unhashed/unencrypted is an excellent question, hopefully to be resolved by a ravening pack of lawyers hungry for sweet GDPR and other penalty money. I don't know that a data breach has actually bankrupted a company yet, but Suprema ought to suffer greatly.
Anyone with a BioStar 2 access system needs to change all administrative passwords immediately and re-enroll users, and preferably, add a physical key system for sensitive locations.
It remains to be seen how exploitable the leaked biometric data may be in the near term, but this is just a prime example of why biometrics shouldn't be used for authentication.
There's no reliable means of calling those measurements back once they're in the wild; no one is going to be able to easily reset their fingerprints and faces. Even resampling to store a different selection of identifying data points won't provide sufficient protection; smoothing and 3-D extrapolation could provide an adequate facial or fingerprint map to reconstruct any missing data.
VPNMentor's report suggests that system-wide user account information was stored in the same unencrypted, web-accessible ElasticSearch database as customer data - that's just unconscionable. Why the hell any of this data was stored unhashed/unencrypted is an excellent question, hopefully to be resolved by a ravening pack of lawyers hungry for sweet GDPR and other penalty money. I don't know that a data breach has actually bankrupted a company yet, but Suprema ought to suffer greatly.
I'm not in the security world but this doesn't seem like that long of a turn around time
Can anyone comment?