Smart cities are a very hot topic these days as we have seen reports of facial detection and state surveillance in China as well as other Asian countries and Ecuador. Recently we have also seen news about an Alibaba-owned project called City Brain that has advanced video and processing ability for facial detection, real-time information statistics and feeds, crime and traffic offenders, and much more. Whether you call such systems “advanced intelligence” because they learn from the data they ingest, or whether you call them “city visual intelligence engine” or just “government surveillance,” they generally collect and store a tremendous amount of personal information.
But no matter how smart of a system it is, the humans responsible for managing it make errors, and City Brain has slipped up. City Brain exposed its own data via elastic search engine instances that were left open without any authentication, leaving all the data from its processing open for anybody to view.
Discovery and Notification
I discovered their most recent security failure on January 13. It involved 56GB of data across 22 indices that appeared to be a mix of test and production naming.
Within the indices were links to a cloud system for City Brain vendors. Part of the links and indices revealed which city data was from. Luzhou and Hangzhou are both well-known cities involved with the City Brain program.
As a result, attribution and contact information for City Brain were actually fairly easy to determine in this leak, and I quickly discovered that the head of the City Brain lab team could be reached via LinkedIn. Within a few hours of reaching out to them to alert them, I received a response thanking me and telling me that they would look into it.
“Thanks a lot for letting me. Let me have a look. Thanks. – Xian-Sheng”
Within a few hours, the system was offline.
Not Their First Leak
This is not the first time City Brain data have leaked. Researcher John Wethington discovered a very similar set of data that was reported in May, 2019. In that case, the researcher appeared to have had difficulty getting them to acknowledge the leak after it had been fixed. Maybe that incident has changed how they respond to security alerts from researchers, or maybe I just got lucky this time to get a quick and effective response.
One thing that is clear, however, is that as well as tracking cars, faces, people, and mobile devices, governments are also using CCTV to track simple objects like bicycles. Governments and vendors need to focus on the overall security of the data generated by these systems so that they do not fall into the wrong hands and wind up misused or exploited. As more and more cities become “smart cities,” the risk of misuse grows exponentially, and the need for better data security becomes critical.
Reporting by Lee J, with editing by Dissent.