Unsecured Chinese companies leak users’ sensitive personal and business data

Pierluigi Paganini July 07, 2020

Researchers at Cybernews uncovered two unsecured databases, with millions of records, belonging to Chinese companies.

The original post available here: https://cybernews.com/security/unsecured-chinese-companies-leak-users-sensitive-personal-and-business-data/

Our research uncovered two unsecured databases, with millions of records, belonging to companies that are based in China and provide different types of services. One database belongs to Xiaoxintong, which offers multiple apps and services aimed at elderly care. The other database we discovered seems to be connected to Shanghai Yanhua Smartech tools, which provides services related to intelligent buildings. 

The database for Xiaoxintong, which serves more than 200 million elderly people in China, contains sensitive information such as GPS locations, mobile numbers, addresses, hashed passwords and more. 

The second database that may be from Shanghai Yanhua Smartech has even more sensitive data, such as easily-decoded audio files, names, employee ID numbers, heart rates, oxygen levels, GPS locations and more. Both databases are now closed.

What was in the database?

Each database contains particularly sensitive information. Let’s look at what information is contained in each database, and why we believe they’re connected to Xiaoxintong and Shanghai Yanhua Smartech.

The Xiaoxintong database

According to ITJuzi.com, Xiaxintong is an “intelligent elderly care service platform” that is composed of both an “intelligent mobile terminal and cloud service platform.” This service provides “mobile rescue, love and health services to the elderly for free.”

When we looked through the database, there was a section for content on the database owner’s website. This includes this text:

上海孝信网络科技有限公司成立于2015年,由十位事业有成的清华校友个人出资天使资金,运用互联网+科技养老的新理念,致力于提高中国2亿老人居家养老的生活质量。公司拥有一批有理想、有情怀的员工队伍,团队核心人员大多为国内优秀的IT和通信技术高新人才。

When we entered that into Google, we found that the text comes from a page for the company Xiaoxin. Translated to Filial Piety, Xiaoxintong serves 200 million elderly people living in China. For reference there are about 241 million elderly people in China, which means that Xiaoxintong serves nearly 83% of all elderly people in China.

The Xiaoxintong database contains more than 340,000 records of:

  • Mobile numbers, addresses and GPS locations
  • Mobile numbers and names of users’ relatives and other “Guardians”
  • Location tracks (including addresses and GPS coordinates)
  • Hashed passwords
  • SOS records and SOS record locations
  • Personal IDs

Most of these (about 285,000) were for addresses, GPS coordinates and personal IDs.

The second database (possibly from Shanghai Yanhua Smartech)

While we’re fairly confident that the first Chinese database belongs to Xiaoxintong, we haven’t fully confirmed that the second database belongs to Shanghai Yanhua Smartech. 

Shanghai Yanhua Smartech Group Co., Ltd., is a Chinese company that’s primarily focused on intelligent building business. While the company seems to cover a lot of areas, according to MarketScreener its core business is on “intelligent building projects, intelligent medical projects, and intelligent energy-saving projects.” Based on its December 2018 report, the company had $162 million in revenue.

When looking at the contents of this second database, we see that it covers a lot of the same types of data: facilities, alarms, employee’s health monitoring data, and vehicle-related information.

Secondly, the database contains entries with the keyword “yhzn” in its class categories:

part of code with some parts underlined

Typing “yhzn” into Google, you get this:

google serach for yhzn cropped

Unfortunately, we weren’t able to get in contact with the company to confirm or deny that it is their database.

The second database contains more than 4.2 million records of:

  1. Persons
    1. Names, ID numbers (work-related), alarm (possible entry/exits), and warnings
    2. Audio files, and some have associated names
    3. Pedometers and device battery strength 
    4. Users’ heart rate, oxygen level, and probably blood pressure (DBP – diastolic blood pressure – and SDBP – systolic blood pressure)
    5. Project and person names
    6. Packet GPS locations
    7. People’s various GPS locations, including for personal “tracks” 
  2. Vehicles
    1. Vehicle work IDs and license plate numbers, alarms, community weights, garbage weights, collect counts for communities (termed “villages”), etc., totaling thousands of entries
    2. Vehicle GPS locations and tracks
  3. Facilities
    1. Names of facilities, types of alarms, alarm status, GPS locations

Most of these records are for vehicle GPS locations and tracks, facility data, and people’s GPS tracks.

Examples of data in the second database

Person audio example:

censored person-audio example

Person health example:

Person tracks example:

censored person tracks example

Oil amount monthly report example:

censored oil amt montly report example

Who had access?

The database seems to have been exposed for an unknown period of time. The total amount of records for both databases – potentially 5 million in total or more – contained highly sensitive information about both the elderly and their families, and employees within seemingly intelligent buildings and connected vehicles. Fortunately, both databases have been shut down.

It’s still unclear whether any bad actors were able to access the data before the databases were closed. However, since the databases could be accessed by anyone with a moderate amount of technical knowledge, without needing any authentication, it is still possible that others have accessed them.

What’s the impact?

The database on the specific movements and health data from these databases can bring varying rewards for cybercriminals.

Cybercriminals have the option of selling these sensitive records, potentially netting even $1 per record. However, this information can be used in combination with other data in order to more effectively scam the users whose information is contained within the database. This can also include more targeted phishing campaigns, as well as exploitation.

Disclosure

In order to get these databases taken offline, we attempted to contact the database owners immediately after we discovered them on January 14, 2020. However, we were unable to contact those owners. The Xiaoxintong database was closed soon after we notified them, but for the second database we had to go through CERT of China (CNCERT), which worked with us to eventually close the database on March 5, 2020.

We were unable to get any comment or information from the database owners.

About the author: CyberNews Team

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Chinese companies, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment