VPNOverview’s security research team has discovered a leak on Resileo’s servers that exposed the private information of thousands of COVID-19 patients.
Resileo Labs is an India-based IT and consulting firm that provides application performance monitoring (APM) services. Its clients include high-profile companies such as HCL Technologies, Verizon, and RCS Group. Resileo’s Appedo APM is marketed as an open-source tool for performance monitoring, competing with tools from popular US-based companies like New Relic and AppDynamics.
Resileo Leaked Admin Credentials
Our team found an Appedo installation guide in an unsecured AWS S3 bucket. The guide details a workaround using a built-in administrator account.
Besides the installation guide, we also found a database backup. We imported the backup and could access the resulting database. In it, we found a table with the connection strings for Resileo’s database servers.
We checked the credentials and found they were still in use. The leaked credentials were enough to browse Resileo’s production database servers. Resileo did not use any other access control to protect these servers.
Production Database Contained Private COVID Data
When our team connected to Resileo’s production databases, we found private information about COVID-19 patients. We also found data that strongly suggests police in South India had a system for tracking COVID-positive individuals through cell phone tower pings.
Resileo works with third parties to help them analyze data, including the Indian Council for Medical Research (ICMR). ICMR is an Indian government organization that conducts biomedical research on health issues. The council assisted in formulating and coordinating policies to tackle the spread of COVID in India.
Geolocation and Symptoms of Patients Exposed
The largest set of data we accessed contained geodata and symptoms of suspected COVID patients. No personally identifiable information was in this dataset.
The data, however, showed the geolocation and symptoms of 9,924,433 individuals. The symptom codes appeared to show cough, fever, and diarrhea.
While this dataset contained the age and gender of some patients, all mobile numbers were anonymized.
Thousands of Phone and IMEI Numbers Leaked
We found an additional table containing mobile phone and IMEI numbers. IMEI numbers are used to identify mobile phones. Each IMEI number is unique to a device and can be used to track a phone as it communicates with different mobile towers.
We could extract 5,157 sets of mobile and IMEI numbers from the database, along with the towers each phone communicated with. We found geodata describing the position of each tower as well as the time and date each phone communicated with the tower.
ICMR COVID Data Breach, 4,634 People Affected
We found another table containing information on 4,634 people who tested positive for COVID-19. Out of the group, 3,745 had their mobile numbers leaked, along with their gender, age, location, the date they went into isolation, and confirmation they tested positive for COVID.
The remaining 889 people had some information leaked, but it was sufficiently anonymized to protect their identity.
Tamil Nadu’s Police Appears to Have Tracked Cases Using Cell Phones
Finally, we discovered accounts that imply the police tracked COVID cases in Tamil Nadu. Apparently, mobile devices from the previous sections were being tracked based on the towers they connected to.
All the information appears to be from the spring of 2020, when India was battling the Delta variant. Login attempts were stored in the database. We geolocated the IP address of a successful “TN Police” log in to a government building in a city in southern India.
Police in southern India would have had access to an individual’s COVID status, their mobile and IMEI number, the cell phone towers their device connected to, and precise geolocation data indicating the distance of their device from the tower.
It appears the police used this information to monitor the movement of COVID-positive individuals. It is unclear whether they could use this data to track people in real time.
Timeline
This is the timeline of events:
| Event | Date | Time |
|---|---|---|
| Discovered admin passwords in the manual stored in an open bucket | August 6th, 2022 | 7:50 PM |
| Notified Resileo through email | August 12th, 2022 | 4:52 PM |
| Resileo secured their bucket and closed the admin password breach | August 13th, 2022 | 1:21 AM |
| Received an email from Resileo confirming they closed the breach | August 13th, 2022 | 8:18 AM |
| Discovered connection strings to Resileo’s production databases | August 24th, 2022 | 8:15 PM |
| Notified Resileo we were able to connect to their database servers | August 25th, 2022 | 8:27 AM |
| Resileo changed the passwords and closed the database breach | August 26th, 2022 | 8:00 AM |
| Sent an email to Resileo requesting a comment | October 11th, 2022 | 2:53 PM |
Resileo has since closed the breach and changed their database passwords. The data is no longer accessible.
Medical Data and Social Engineering
A data breach violates the privacy of those affected and leaves them vulnerable to cybercrimes. India already suffers from an ever-growing phishing problem, as we detailed in our report on the Rocket data breach.
Also, a person’s COVID status is their private information. Access to medical data can enable cybercriminals to exploit their victims. A malicious actor could use information from the ICMR breach to conduct a convincing social engineering scam.
An additional concern is third-party data sharing, as the people affected by the breach gave their information to the ICMR, not Resileo.
IMEI Scams and Cybercrime
IMEI number is a unique 15-digit number assigned to every GSM mobile device. Your IMEI number is shared with network providers whenever your device connects to a cell service.
If a mobile device is stolen, manufacturers or network providers can blacklist the IMEI number and track it.
Your IMEI number can reveal a lot of information about your phone, including its make, model, and other specifications. It is possible to create a hardware profile of a device just with the IMEI number.
A trove of stolen but active IMEI numbers can be very useful to malicious actors, as they use them to hide from law enforcement. Fake IMEI numbers are a major cybersecurity issue in India.
Privacy in a Post-COVID World
Our security team’s findings raise important questions about privacy in the age of COVID. Resileo had an obligation to protect the data they collected, but whether or not the data should have been harvested in the first place is a more important question. Certainly, all the mobile numbers should have been anonymized.
