In May 2017, Appthority released analysis of HospitalGown, an Appthority-discovered threat. HospitalGown, so named for the exposed backends that were discovered, shows what can be missed by focusing narrowly on mobile device and app-related threats.
What Is HospitalGown
Analysis of devices, networks and apps is necessary but not sufficient for securing an enterprise mobile ecosystem. The apps’ backends — cloud-based servers that apps use for storage and other functions — are required components for many apps. When we say a backend is exposed, we mean it is accessible from the Internet with no password protection or any authentication mechanism to prevent a third-party from accessing the entire database. HospitalGown refers to the class of threats resulting from exposed mobile app backends.
Here’s another way to think of having data exposed on a backend server: If an enterprise-wide app is deployed on thousands of devices, that collective data is most often found in one backend server. To access that data, an attacker does not need to successfully attack thousands of devices, they only need to breach a single server. And if that backend data store is unsecured, without even a password to protect it, then massive amounts of enterprise data is exposed and can be readily accessed by even the most unsophisticated attacker. (This concept has been recently demonstrated by the Equifax hack, where a centralized database was breached rather than individually attacking 143 million consumers.)
It’s All About The Data
The true objective of an enterprise attack is almost always data. And with HospitalGown Appthority found an incredible exposure: 43 terabytes of data on over 21,000 backend servers that mobile apps relied on for persistent storage. The exposed data included passwords, location, travel and payment details, corporate profile data (including employees’ VPN PIN reset tokens, emails, phone numbers), and retail customer data. In one case, we found PII (personally identifiable information) for tens of thousands employees from just one enterprise. In some cases the data had already been ransomed, meaning that it was encrypted by an adversary and payment was required to unlock the data.
More than anything, enterprises focus on the security of their data. While data is occasionally stored on devices, large data sets are invariably stored on backend servers in the cloud. Whereas the security of Android and iOS protect users against most on-device threats, until now, nothing protected users from app developers’ oversights regarding the part of the mobile ecosystem where the company jewels — its most sensitive data — are stored.
In some cases, the data we found was probably not highly sensitive; in other cases it was extremely sensitive. Back end data sets can be used to aggregate news articles and social network posts, or they can be used for employee names and contact info or for archival of sensitive documents. When we find an exposed backend we don’t know the degree to which it exposes proprietary information, if at all. But almost any data is useful to an attacker, even if it’s to profile an enterprise as part of their reconnaissance in preparation for an attack. We therefore consider exposed backends an important aspect of mobile security for enterprises.
Since we published our HospitalGown research in May, we’ve been expanding our automated detection of exposed backends. Appthority’s Mobile Threat Team (MTT) has developed a prototype analysis system that scans and inventories NoSQL data stores that are exposed. The system then parses through the indices applying heuristics associated with mobile data.
Using this system we have discovered a number of additional mobile apps with exposed backends. We’ve chosen two health-related apps as further test cases for analysis: CitaHealth and Zikto, both of which are available in the Google Play and Apple App Store. These applications expose the personal health information of users via an exposed backend that has been ransomed. Because the backends are ransomed, healthcare enterprises would have to pay for the privilege of accessing their own data and hope that the attacker unlocks their data when paid.
CitaHealth is a healthcare application accessing an unsecured and ransomed ElasticSearch instance. The application collects health data from users. On Android it utilizes the Samsung Health SDK. On iOS it uses built in capabilities.
As outlined in the technical details in Appendix A, we were able to create a fictitious account and access its data. As can be seen, the attackers left a ransom demand for 0.5 bitcoins (currently valued at $2,119.20).
There have been no updates to either the iOS or Android app since October, and no use of the exposed backend. It’s possible that the ransomware attack resulted in the app and all its data being abandoned by the developer (but still possibly available to the black hat for future attacks or for sales on the dark web).
Zikto is an activity monitoring and fitness application utilizing an unsecured and ransomed ElasticSearch instance. As shown in Appendix B, the userdata index exposes the PII of over 13,000 users.
Interestingly, there is a ransomware index, pleasereadthis, however it is missing the ransom demand. We are unsure if the attempt to insert data failed, was deleted by someone else, or removed by the author. Sometimes, the attackers show no better attention to detail than the developers who left the backend exposed!
Our research has identified over 1,000 apps that expose data due to HospitalGown. These apps aren’t contrived examples made for demonstration, but are real apps found in Google Play and the Apple App Store – and more importantly, on our customers’ devices. Some have tens to hundreds of thousands of downloads.
The HospitalGown vulnerability isn’t just theoretical. Hundreds of apps are leaking terabytes of data, all due to failure to secure the backend data stores. We recommend that, where possible, enterprises refrain from using HospitalGown apps that access or send sensitive information. If the use of an app impacted by HospitalGown is necessary, we suggest contacting the app developer or vendor to verify that the backend server has been secured.
Appthority offers mobile admins the ability to prevent new exposures to this type of data leakage, and, if already susceptible, identifies the problem for proper incident response and prevents further damage. Appthority customers are currently protected against HospitalGown for both ElasticSearch and Redis backends. Support for additional storage types is in the works.
Appthority customers should remediate any apps found with the HospitalGown vulnerability until the app developers secure their backend. Note that remediation may require finding an alternate app to use until the app developer has confirmed that the backend data store is no longer exposed.
Appendix A – CitaHealth
CitaHealth is a healthcare application utilizing an unsecured and ransomed ElasticSearch instance.
The applications are described (Google Translate) as the following:
The objective of the application is to improve the relationship between patients and CHR Liège. It allows patients to give their consent and to communicate their health information to the CHR Citadelle. This information is collected via the Health app. It allows practitioners to prepare for consultations by analyzing the information received a priori and to carry out analyzes on their patients as a whole. The objective of these analyzes is the continuous improvement of care plans and treatment. The application also allows practitioners to collect information by specialty (i.e., post-operative follow-up, monitoring of headaches, etc.) to improve personal and collegial follow-up of patients.
(The CitaHealth application is an ongoing test and the encoded data is not used)
The applications ask the users questions such as the following:
- <string name=”IsPainIntense”>Lorsque vous avez mal à la tête, la douleur est-elle intense ?</string>
- <string name=”IsGlobalCapacityToExecuteTasksAltered”>”Votre capacité à effectuer vos activités quotidiennes habituelles, c’est-à-dire les tâches ménagères, le travail, les études ou les activités avec les autres, est-elle limitée à cause de vos maux de tête ?”</string>
- <string name=”QuestionThreeLabelText”>Lorsque vous avez mal à la tête, aimeriez-vous avoir la possibilité de vous allonger ?</string>
- <string name=”IsYourPeriodOn”>Etes-vous règlée ?</string>
- <string name=”NumberOfPills”>Nombre de médicaments</string>
The application also collects health data. On Android it utilizes the Samsung Health SDK. On iOS is uses built in capabilities.
Users can create an account via the app and are restricted to a 4 digit PIN to safeguard their data.
As this application is using an unsecured backend, we can simply browse all of the users data.
KingRoland was created for research validation and is not an actual CHR patient. In the users index we get access to the
- date created
- pin code
The health_headache index and health_hit6 index contains questionnaire answers
Other indices make available data recorded via the Samsung Health SDK and iOS health
While there are more indices with health data, the most concerning index is the one reporting the data being ransomed.
It appears the the application, based on the users table and Google Play counts has been limited to under 200 installs. Additionally the applications have seen no updates since October 2016. The applications lack of adoption would appear to be the only thing protecting people from loss of their health data.
Appendix B – Zikto