Researchers from vpnMentor the possibility of open access to the database, which stored more than 27.8 million records (23 GB of data) related to the operation of the biometric access control system , which has about 1.5 million installations worldwide and is integrated into the AEOS platform, which is used by more than 5700 organizations in 83 countries, including large corporations and banks, as well as government agencies and police stations. The leak was caused by an incorrect configuration of the Elasticsearch storage, which turned out to be readable by everyone.
The leak is exacerbated by the fact that most of the database was not encrypted and, in addition to personal data (name, phone, email, home address, position, time of employment, etc.), access log of system users, open passwords (without hashing) and mobile device data, including photographs of faces and fingerprints used for biometric user identification.
In total, more than a million original fingerprint scans associated with specific people were identified in the database. The presence of open fingerprints that cannot be changed makes it possible for attackers to forge a fingerprint according to a template and use it to bypass access control systems or to leave false traces. Separate attention is drawn to the quality of passwords, among which there are a lot of trivial ones, such as "Password" and "abcd1234".
Moreover, since the database also included the credentials of BioStar 2 administrators, in the event of an attack, attackers could gain full access to the system's web interface and use it to add, edit, and delete entries. For example, they could change fingerprint data to gain physical access, change access rights, and remove traces of penetration from the logs.
It is noteworthy that the problem was identified on August 5, but then several days were spent on conveying information to the creators of BioStar 2, who did not want to listen to the researchers. Finally, on August 7, the information was brought to the company, but the problem was fixed only on August 13. The researchers identified the database as part of a project to scan networks and analyze available web services. It is not known how long the database remained in the public domain and whether the attackers knew about its existence.
Source: opennet.ru