[BreachExchange] Unprotected Chinese Smart City Database Exposed Facial Scans And Other Explicit Details

Destry Winant destry at riskbasedsecurity.com
Mon May 6 10:07:56 EDT 2019


https://latesthackingnews.com/2019/05/06/unprotected-chinese-smart-city-database-exposed-facial-scans-and-other-explicit-details/

During the past few days, we heard of a lot of incidents involving
accidental data leakage from unsecured databases. Here comes another
similar security incident. However, what makes this one unique is the
kind of exposed data. Allegedly, a researcher caught an unprotected
Chinese Smart City database which leaked facial recognition scans
amongst other information.

Chinese Smart City Database Exposed Data Publicly

Researcher John Wethington stumbled upon an open Elasticsearch
database that publicly exposed a huge amount of records. The unsecured
database included hundreds of facial recognition scans stored as
gigabytes of data.

The researcher found that the database was hosted on the Alibaba cloud
platform. The database had numerous references to Alibaba’s AI-powered
City Brain. However, Alibaba denied this supposition, and also kept
themselves aloof of the matter.

“This is a database project created by a customer and hosted on the
Alibaba Cloud platform… As a public cloud provider, we do not have the
right to access the content in the customer database.”

While Alibaba expressed their inability to access the content of the
database, the researcher, in assistance with TechCrunch, could assess.
Allegedly, the database included every detail hinting towards the
functioning of a smart city. According to TechCrunch,

“The system monitors the residents around at least two small housing
communities in eastern Beijing, the largest of which is Liangmaqiao,
known as the city’s embassy district.”

The data exposed included information about people’s movements
monitored from the systems that included various data collection
points including cameras. In addition, it also included details about
people’s facial features, approximate ages, an ‘attractive’ score, and
some labels regarding ethnicities as determined through facial
recognition.

The database also linked the facial recognition results with police
records, triggering warnings upon detecting an individual. This hinted
towards the possibility that the customer behind this database might
belong to the government sector.

The system also generated alerts in case of events such as smoke
alarms or equipment failures. It could also monitor WiFi devices, and
could also log IMEI and IMSI numbers from cellular devices.

Unnamed Source Informed Of The Matter

While Alibaba didn’t acknowledge the possible linkage with the leaky
database, they did however inform their customer-base.

“We have already informed the customer about this incident so they can
immediately address the issue.”

The information present in the database indicated how dangerous AI can
become. According to Wethington,

“The weaponization and abuse of A.I. is a very real threat to the
privacy and security of every individual. We should carefully look at
how this technology is already being abused by other countries and
businesses before permitting them to be deployed here.”


More information about the BreachExchange mailing list