What was in the database?Each database contains particularly sensitive information. Let’s look at what information is contained in each database, and why we believe they’re connected to Xiaoxintong and Shanghai Yanhua Smartech.
The Xiaoxintong databaseAccording to ITJuzi.com, Xiaxintong is an “intelligent elderly care service platform” that is composed of both an “intelligent mobile terminal and cloud service platform.” This service provides “mobile rescue, love and health services to the elderly for free.”
When we looked through the database, there was a section for content on the database owner’s website. This includes this text:
When we entered that into Google, we found that the text comes from a page for the company Xiaoxin. Translated to Filial Piety, Xiaoxintong serves 200 million elderly people living in China. For reference there are about 241 million elderly people in China, which means that Xiaoxintong serves nearly 83% of all elderly people in China.
The Xiaoxintong database contains more than 340,000 records of:
- Mobile numbers, addresses and GPS locations
- Mobile numbers and names of users’ relatives and other “Guardians”
- Location tracks (including addresses and GPS coordinates)
- Hashed passwords
- SOS records and SOS record locations
- Personal IDs
Most of these (about 285,000) were for addresses, GPS coordinates and personal IDs.
The second database (possibly from Shanghai Yanhua Smartech)While we’re fairly confident that the first Chinese database belongs to Xiaoxintong, we haven’t fully confirmed that the second database belongs to Shanghai Yanhua Smartech.
Shanghai Yanhua Smartech Group Co., Ltd., is a Chinese company that’s primarily focused on intelligent building business. While the company seems to cover a lot of areas, according to MarketScreener its core business is on “intelligent building projects, intelligent medical projects, and intelligent energy-saving projects.” Based on its December 2018 report, the company had $162 million in revenue.
When looking at the contents of this second database, we see that it covers a lot of the same types of data: facilities, alarms, employee’s health monitoring data, and vehicle-related information.
Secondly, the database contains entries with the keyword “yhzn” in its class categories:Typing “yhzn” into Google, you get this:
Online security 101: How to protect your privacy from hackers, spies, and the government Source code of Iranian cyber-espionage tools leaked on Telegram Microsoft loses control over Windows Tiles subdomain Failed student jailed for Silk Road, dark web drug profiteering US legislators have sent an open letter to Google CEO Sundar Pichai asking for details about Sensorvault, an internal Google database that keeps track of users' historical geo-location details.
Unfortunately, we weren’t able to get in contact with the company to confirm or deny that it is their database.
The second database contains more than 4.2 million records of:
- Names, ID numbers (work-related), alarm (possible entry/exits), and warnings
- Audio files, and some have associated names
- Pedometers and device battery strength
- Users’ heart rate, oxygen level, and probably blood pressure (DBP – diastolic blood pressure – and SDBP – systolic blood pressure)
- Project and person names
- Packet GPS locations
- People’s various GPS locations, including for personal “tracks”
- Vehicle work IDs and license plate numbers, alarms, community weights, garbage weights, collect counts for communities (termed “villages”), etc., totaling thousands of entries
- Vehicle GPS locations and tracks
- Names of facilities, types of alarms, alarm status, GPS locations
Most of these records are for vehicle GPS locations and tracks, facility data, and people’s GPS tracks.
Examples of data in the second database
Person audio example:
Person health example:
Person tracks example:
Oil amount monthly report example:
Who had access?
The database seems to have been exposed for an unknown period of time. The total amount of records for both databases – potentially 5 million in total or more – contained highly sensitive information about both the elderly and their families, and employees within seemingly intelligent buildings and connected vehicles. Fortunately, both databases have been shut down.
It’s still unclear whether any bad actors were able to access the data before the databases were closed. However, since the databases could be accessed by anyone with a moderate amount of technical knowledge, without needing any authentication, it is still possible that others have accessed them.
What’s the impact?
The database on the specific movements and health data from these databases can bring varying rewards for cybercriminals.
Cybercriminals have the option of selling these sensitive records, potentially netting even $1 per record. However, this information can be used in combination with other data in order to more effectively scam the users whose information is contained within the database. This can also include more targeted phishing campaigns, as well as exploitation.
DisclosureIn order to get these databases taken offline, we attempted to contact the database owners immediately after we discovered them on January 14, 2020. However, we were unable to contact those owners. The Xiaoxintong database was closed soon after we notified them, but for the second database we had to go through CERT of China (CNCERT), which worked with us to eventually close the database on March 5, 2020.
We were unable to get any comment or information from the database owners.