How inadequate security checks led to massive data breach in Telangana police app

It is highly likely that the contract to build the Telangana Police’s mobile application TS-COP was given without serious checks and balances in the bidding process, writes hacktivist Srinivas Kodali.
How inadequate security checks led to massive data breach in Telangana police app
Written by:
Published on

The network of the Telangana Police was hacked by an unknown threat actor who goes by the name of Adm1nFr1end and the details of the breach of the TS-COP app were published on the hacker forum BreachForums. This is the same actor who also published details of the breach of another Telangana Police app HawkEye and the Telangana Police SMS Service. TS-COP and HawkEye are mobile applications of the Telangana Police that are used by the police and citizens respectively as part of their digitisation of policing services. 

The hacking of these apps, and in turn other policing databases, is not only a security nightmare for the police but for the entire citizenry of Telangana, whose 360 degree profiles have been continuously collected over the last decade. The app is not available directly on Google Play Store, but malware platforms like Koodous have its copies.

Breaching into these systems is not a complicated task as the apps built by the police lack basic security. 

An analysis of the source code of TS-COP indicates that the developer of the application, WinC IT Services, has embedded all the passwords of various application programming interfaces (API) directly into the Android app. This means that they used plain text passwords over basic HTTP with no security at any stage. It also shows it is likely that the developers are not trained in this aspect.

There is also the probability that the contract to build this application was given without serious checks and balances in the bidding process. 

Here is a look into their source code. The passwords are not being masked as the police department has shut down all services to do an audit.

The source-code of TS-COP displaying the username and password of geolocation services
The source-code of TS-COP displaying the username and password of geolocation services

In Telangana, all accidents and crimes are geo-tagged and the police use this information to determine where to allocate more personnel for policing. The Telangana police’s infamous ‘cordon and searches’ are justified based on these geo-tagging of crimes. Geo-location services are provided to the Telangana police by the private company TecDatum.

The source code of TS-COP displaying the username and password of CCTNS services
The source code of TS-COP displaying the username and password of CCTNS services

The Crime and Criminal Tracking Network and Systems (CCTNS) is a network of interconnected policing systems that link all police stations across India. The Telangana police use these services provided by the Union Ministry of Home Affairs to connect and access first information reports and chargesheets of crimes from other police stations within the state and other state police departments.

The source code of TS-COP displaying user ID and password to access Forensic Systems
The source code of TS-COP displaying user ID and password to access Forensic Systems

The police department has been collecting information from the databases of all other departments and centralising its access to the information without any access management in place. 

The architecture of TS-COP shows us that the Telangana police gives wide access to all sorts of intelligence information to every police official without creating any logs on who is accessing their systems. This means that any police official can access our personal data, sell it, or share it to anyone, and there won’t be a record of it. 

This is exactly what happened in the recent Telangana Intelligence scandal where lakhs of telecommunications and internet access records were randomly deleted by a rogue intelligence official.

The source code of TS-COP displaying access protocols for live streaming of CCTV footage
The source code of TS-COP displaying access protocols for live streaming of CCTV footage

Beyond standard police services, the TS-COP application has access to all the databases of the Telangana government, including voter data, Aadhaar, driver’s licence, ration card, and phone numbers. The police also used third party services to access data from hotel check-ins using the third party vendor Zebi Chain. This was a pilot project, the status of the which is unknown.

The source code of TS-COP displaying access token for Zebi Chain hotel data
The source code of TS-COP displaying access token for Zebi Chain hotel data

These are a few examples of a complex code base that has digitised every aspect of policing in Telangana including attendance of police officials. The police department has a vast amount of powers of surveillance and they have been abusing them to use these powers against the political opposition. 

Recent investigations into intelligence officials conducting mass surveillance of judges, critics of the government, and journalists shows how this system can be abused. Without the right checks and balances, the police are an institution of violence and it will only lead to violent outcomes for society.  

Srinivas Kodali is a hacktivist and researcher working on digitisation.

Related Stories

No stories found.
The News Minute
www.thenewsminute.com