Security Measures for BioStar Air and Suprema Pass Mobile Access
Feature Overview
BioStar Air is Suprema’s secure, cloud-based mobile access control solution. Suprema’s hardware, software, and firmware engineering teams are guided by a “secure by design” principle. Every layer of our system architecture and every communication touchpoint is built to protect privacy and maintain data integrity.
Key measures include:
- Securing and encrypting data in the BioStar Air Admin Portal and its database
- Encrypting and protecting data as it travels between the BioStar Air API and clients
- Encrypting mobile card data stored on smartphones
- Securing communications between smartphones and readers (Suprema Pass)
- Implementing forgery prevention for mobile credentials (Suprema Pass)
ISO 27001 Certification
BioStar Air has achieved ISO 27001 certification, meeting global standards for data protection management, security controls, and personal information management. First established in August 2019, ISO 27001 compliance also aligns with the General Data Protection Regulation (GDPR) and similar legislation such as the California Consumer Privacy Act (CCPA).
Proven Technologies for End-to-End Security
Secure Portal Access & Data Protection
The BioStar Air Admin Portal runs on AWS Amazon RDS encrypted DB instances using AES-256 or better encryption. Additional encryption is applied to all personal data.
Encrypted Communication with BioStar Air API
All communication with the BioStar Air REST API is encrypted using TLS 1.2 over HTTPS and requires an access token (default one-hour expiry). AWS API Gateway throttles API requests to prevent brute force attacks.
Encrypted and Hashed Mobile Card IDs
Mobile card ID numbers are encrypted using AES-256 to prevent exposure on third-party servers. Card data is digitally signed to verify authenticity.
Secure Storage of Mobile Cards on Smartphones
Suprema Pass mobile credentials and associated data are encrypted with AES-256. Encryption keys are stored in the phone’s Trusted Execution Environment (TEE), such as Secure Enclave (Apple) or TrustZone (ARM).
Secure Communication between Phones and Readers
To prevent “replay attacks” over Bluetooth Low Energy (BLE), BioStar Air uses one-time encryption keys for each connection and terminates the connection immediately after transfer, preventing man-in-the-middle (MITM) attacks.
Mobile Card Forgery Prevention
Each Suprema Pass mobile credential is protected by PKI-based digital signatures unique to each BioStar Air site. Proprietary verification processes detect any modification or forgery attempts.
Vulnerability Management
Suprema’s Information Security Team leads vulnerability management, supported by external security specialists.
- Continuous automated scanning for threats
- Annual ISO 27001 renewal audits with full system review
- Penetration testing and risk assessments before major releases
- Spot checks for password hygiene, social engineering resilience, and procedure compliance
- Comprehensive documentation and reporting of all vulnerabilities and remediation actions
Risk Assessment Approach
Assets are classified by confidentiality, integrity, and availability ratings. Threats are identified, vulnerabilities assessed, and risks evaluated based on likelihood and impact. Mitigation measures are prioritized according to risk severity.
Multi-Factor Authentication (MFA)
MFA is being implemented in stages:
- Email-based 2FA for admin accounts
- Passcode-based 2FA for the BioStar Air App
- Automatic lockout of inactive admin accounts after 90 days
- Configurable password expiry (30, 60, 90 days)
Frequently Asked Questions
- Data in transit encryption: TLS 1.2
- Data at rest encryption: AES-256
- DoS protection: AWS API Gateway request throttling
- Service availability: 98–99% uptime (per contract SLA)
- API security: Token-based authentication, HTTPS-only, strict endpoint validation
- Portal access: Cloud-based for global management; private cloud options under development