Friday, 2024 November 22

Cyberattacks hobble Myanmar’s COVID-19 QR pass system, expose massive security flaws

The registration portal for health QR codes that are necessary for domestic travel in Yangon, Myanmar’s largest city, during a nationwide lockdown was subject to a series of cyberattack on Sunday.

The information app that is associated with the health QR codes, Saw Saw Shar, was developed by the COVID-19 Containment and Emergency response ICT Support Group. It went online in April and functions as a tracing app that logs the travel history of each user and issues reminders about infection hot zones. The app also has a dashboard that visualizes COVID-19 transmissions and infections by region within Myanmar. Yangon residents, in particular, rely on the QR pass registration portal of Saw Saw Shar to issue QR codes that allow them to commute within the commercial capital, where a stringent lockdown is in place and only essential workers and registered vehicles can move across townships for essential business.

“The [website’s] system suffered cyberattacks damaging its operation. Thus, it was suspended at 3:30 p.m. on September 27 to undergo system maintenance and prevent damage. It had to be suspended again after relaunching at night on the same day due to similar attacks,” according to an Facebook post by the Union of Myanmar Federation of Chambers of Commerce and Industry (UMFCCI) on Monday evening.

Saw Saw Shar’s server underwent maintenance on September 27. Screenshot from Facebook’s Saw Saw Shar public group.

UMFCCI also said that the system resumed its service at 5:00 p.m. on Monday, September 28, but attacks persisted through the afternoon. “Such attacks are not acceptable and are criminal acts since this system was created to streamline the reopening of the businesses that are essential for the people in Yangon for food and other services, and to help employees of such businesses systematically commute in the city during the stay-at-home period,” the Facebook post read.

Local cybersecurity experts have weighed in on the lack of proactive protection for Burmese citizens’ personal data. “Both the site and application were not designed with security in mind at all. The security of the site as well as application was so bad that people with little or no hacking knowledge have been able to exploit the site and are able to extract the data,” said Lynn Htun, a local cybersecurity practitioner.

Easy exploits

The Saw Saw Shar QR pass registration portal gave malicious parties straightforward access to a trove of personal data. Lynn Htun explained, “There are vulnerabilities such as users being able to view, edit, and replace other users’ data simply by changing the last digits in the URL string. This goes to show no hacking skills were required to misuse the site and that the site and application lack the very basic security provisions.”

A Facebook user spotted a design flaw that allows users to edit each others’ data. Screenshot from Facebook’s Saw Saw Shar public group.

“For example, by simply replacing the photo, the malicious actors are able to print a new QR pass with users’ details attached with their own photo to impersonate [other citizens],” Lynn Htun said. “Our advice to the developers and operators of the site and application is to test the security provisions of the site and application during the UAT [user acceptance testing] phase before it is open to the public for general use.”

A user cannot log in on Saw Saw Shar’s website despite providing the adequate information. Screenshot from Facebook’s Yangon Connection public group.

Most of Myanmar’s official websites are hosted in Singapore or within Southeast Asia, but the server hosting Saw Saw Shar’s is in the US, according to a Whois query performed by KrASIA.

“The server behind Saw Saw Shar is hosted on Microsoft Azure. The decision has nothing to do with restrictions or regulations. Rather, the local developer company is a reseller for Microsoft Azure,” Lynn Htun said. “However, the irony is that when you sign up for Microsoft Azure, you are not able to choose Myanmar (Burma) in the country drop-down list. In other words, Microsoft Azure is officially not available for purchase or use in Myanmar.”

This points to larger systemic problems, where the officials directing tech-based responses to the pandemic lack basic knowledge for the task. The cybersecurity expert added, “The impact of the server not being located in Southeast Asia ‘currently’ would mainly be latency and access issues. This is also due to the fact that the authorities do not understand basic principles of data privacy. Most of the ministers and members of cabinet are totally oblivious when it comes to the basics of data privacy, data sovereignty, and data classifications.”

Update: Myanmar Information Technology (MIT) reached out to KrASIA to clarify that the Saw Saw Shar application and its website operates independently from the “QR Pass Registration System website. KrASIA has edited the title and the first paragraph to reflect this change. KrASIA has learned that MIT is the Microsoft Azure cloud services reseller that helps manage the server for Saw Saw Shar’s website and app. MIT declined to offer further comments to KrASIA.

MORE FROM AUTHOR

Related Read