It started off as a technical curiosity almost. Thailand’s telecom regulator, the National Broadcasting and Telecommunications Commission last week put out a press release about the success of its registration app for independent SIM card resellers, roughly translated as 2-snap, which had reached a milestone of 50,000 downloads.
The vast majority of Thailand’s mobile base is pre-paid and had never been formally registered, something that has been illegal for a long time but until recently to which nobody has paid any attention. Registration is all good and well, but whoever moves first will be at a major disadvantage compared to others who do not gather customer data.
The 2-snap mobile app uses a smartphone camera to gather the numbers off the SIM card and the subscriber’s ID card and send it to the NBTC for safekeeping, both for new sales and for existing users who are urged to go and register their numbers at any shop with the 2-snap logo.
What started off as an inquisitive .APK (android package) teardown soon grew into a whole list of expletives and face-palming at the way the app was hacked together by someone with the skills of a five-year-old.
By far the worst offence was a whole list of unencrypted username and password pairs just lying there in the code or http requests for anyone with a modicum of inquisitiveness and an Android SDK to see. Some of the passwords themselves were worthy of special mention for their originality - “password_ais” is but one example.
The back-end themselves were mostly https except for two, one major network and one small MVNO. However, trying to access those sites raw usually did not work and spewed out an SSL error.
Ah, the five-year old programmer hired by the NBTC had set a flag which disabled checking certificates against a trusted certificate authority. It appears that companies big and powerful enough to run nationwide telecommunications networks cannot, or will not, go through the ultra-complex task of getting a certificate for their back-end server.
In practice, a lack of a CA would mean it is possible to do a man-in-the-middle attack when sending subscriber information across the internet. Not that anyone would, heaven forbid, ever think of doing such an evil thing to capture the ID cards and phone numbers of people registering their phones. Besides, there was a much easier way.
And the scariest thing of all? One of my sources told me that the usernames and passwords actually worked and allowed him access to the companies’ back-end servers - though of course I would never dream of trying them myself *innocent face*.
The NBTC has made a big deal of SIM registration as a matter of national security over the years. Unregistered SIMs are used by terrorists who plant bombs and kill people.
Yesterday, the NBTC fined Dtac $2 million (62 million baht) for not complying with orders to collect subscriber identification after the supreme administrative court reversed a lower court ruling that went in Dtac’s favour.
It is a pity that Thailand does not have a data privacy commissioner. Perhaps he would now call for a temporary halt to registration in light of the data leakage from the registration app until a proper adult is bought in to re-write the system.
That non-existent privacy commissioner would probably prosecute the regulator for reckless handling of citizen data, but of course someone might perhaps vote twice to absolve them of any wrongdoing again if that were to happen.
Under this climate of fear (Thailand is a dictatorship after all with a decree passed outlawing any criticism of the junta, their work or people working for them), nobody I reached out to dared to speak on the record. One CTO confirmed the findings for me; another C-level exec successfully carried out the intrusion test into a telco’s server.
The most I could get was a generic statement from AIS that they support the regulator in their drive to register pre-paid users. I pressed them on the particular issue of plain text passwords and, understandably, no response was forthcoming.
I asked two at the NBTC for comment. None came. Ditto for a usually outspoken pair of security companies - obviously being able to do business with the junta, sorry - the good people who run the country, matters more than a little annoying privacy breach.
At one level Thailand has a problem with a wishy-washy regulator not being able to enforce registration on everyone at the same time. Whoever moves first will be at a disadvantage and as things have transpired, Dtac is now forced to move first and risk decimating its customer base.
On another level, the way that data is being collected is reckless and should be stopped. The people commissioning the app should be brought to account and sent in for attitude re-adjustment (the phrase Thailand uses for arrest without charge for dissidents under the current state of martial law).
But on yet another level, the country has serious deep-rooted problems. The emperor has no clothes and nobody dares to speak out.