Report

How inadequate security checks led to massive data breach in Telangana police app

The source code of TS-COP displaying access protocols for live streaming of CCTV footageThe network of the Telangana Police was hacked by an unknown threat actor who goes by the name of Adm1nFr1end and the details of the breach of the TS-COP app were published on the hacker forum BreachForums. This is the same actor who also published details of the breach of another Telangana Police app HawkEye and the Telangana Police SMS Service. 

TS-COP and HawkEye are mobile applications of the Telangana Police that are used by the police and citizens respectively as part of their digitisation of policing services. 

The hacking of these apps, and in turn other policing databases, is not only a security nightmare for the police but for the entire citizenry of Telangana, whose 360 degree profiles have been continuously collected over the last decade. The app is not available directly on Google Play Store, but malware platforms like Koodous have its copies.

Breaching into these systems is not a complicated task as the apps built by the police lack basic security. 

An analysis of the source code of TS-COP indicates that the developer of the application, WinC IT Services, has embedded all the passwords of various application programming interfaces (API) directly into the Android app. This means that they used plain text passwords over basic HTTP with no security at any stage. It also shows it is likely that the developers are not trained in this aspect.

There is also the probability that the contract to build this application was given without serious checks and balances in the bidding process. 

Here is a look into their source code. The passwords are not being masked as the police department has shut down all services to do an audit.

In Telangana, all accidents and crimes are geo-tagged and the police use this information to determine where to allocate more personnel for policing. The Telangana police’s infamous ‘cordon and searches’ are justified based on these geo-tagging of crimes. Geo-location services are provided to the Telangana police by the private company TecDatum.

The Crime and Criminal Tracking Network and Systems (CCTNS) is a network of interconnected policing systems that link all police stations across India. The Telangana police use these services provided by the Union Ministry of Home Affairs to connect and access first information reports and chargesheets of crimes from other police stations within the state and other state police departments.

The police department has been collecting information from the databases of all other departments and centralising its access to the information without any access management in place. 

The architecture of TS-COP shows us that the Telangana police gives wide access to all sorts of intelligence information to every police official without creating any logs on who is accessing their systems. This means that any police official can access our personal data, sell it, or share it to anyone, and there won’t be a record of it. 

The source-code of TS-COP displaying the username and password of geolocation services.
The source code of TS-COP displaying the username and password of CCTNS services.
The source code of TS-COP displaying user ID and password to access Forensic Systems.
The source code of TS-COP displaying access protocols for live streaming of CCTV footage.

This is exactly what happened in the recent Telangana Intelligence scandal where lakhs of telecommunications and internet access records were randomly deleted by a rogue intelligence official.

Beyond standard police services, the TS-COP application has access to all the databases of the Telangana government, including voter data, Aadhaar, driver’s licence, ration card, and phone numbers. The police also used third party services to access data from hotel check-ins using the third party vendor Zebi Chain. This was a pilot project, the status of the which is unknown.

These are a few examples of a complex code base that has digitised every aspect of policing in Telangana including attendance of police officials. The police department has a vast amount of powers of surveillance and they have been abusing them to use these powers against the political opposition. 

Recent investigations into intelligence officials conducting mass surveillance of judges, critics of the government, and journalists shows how this system can be abused. Without the right checks and balances, it will lead to violent outcomes for society.  

Srinivas Kodali is a hacktivist and researcher working on digitisation.

This piece was republished from The News Minute as part of The News Minute-Newslaundry alliance. It has been lightly edited for style and clarity. Read about our partnership here and become a TNM subscriber here.

If you’re reading this story, you’re not seeing a single advertisement. That’s because Newslaundry powers ad-free journalism that’s truly in public interest. Support our work and subscribe today.