Myanmar’s pandemic information website, which provides information about the country’s COVID-19 information app and includes a registration portal for health QR codes for domestic travel during a nationwide lockdown, was subject to a series of cyberattack on Sunday.
The information app, Saw Saw Shar, was developed by the COVID-19 Containment and Emergency response ICT Support Group. It went online in April and functions as a tracing app that logs the travel history of each user and issues reminders about infection hot zones. The app also has a dashboard that visualizes COVID-19 transmissions and infections by region within Myanmar. Yangon residents, in particular, rely on Saw Saw Shar to issue QR codes that allow them to commute within the commercial capital, where a stringent lockdown is in place and only essential workers and registered vehicles can move across townships for essential business.
“The system suffered cyberattacks damaging its operation. Thus, it was suspended at 3:30 p.m. on September 27 to undergo system maintenance and prevent damage. It had to be suspended again after relaunching at night on the same day due to similar attacks,” according to an Facebook post by the Union of Myanmar Federation of Chambers of Commerce and Industry (UMFCCI) on Monday evening.
UMFCCI also said that the system resumed its service at 5:00 p.m. on Monday, September 28, but attacks persisted through the afternoon. “Such attacks are not acceptable and are criminal acts since this system was created to streamline the reopening of the businesses that are essential for the people in Yangon for food and other services, and to help employees of such businesses systematically commute in the city during the stay-at-home period,” the Facebook post read.
Local cybersecurity experts have weighed in on the lack of proactive protection for Burmese citizens’ personal data. “Both the site and application were not designed with security in mind at all. The security of the site as well as application was so bad that people with little or no hacking knowledge have been able to exploit the site and are able to extract the data,” said Lynn Htun, deputy chairman of the Myanmar Information Security Association and a hacker turned security practitioner.
Easy exploits
Saw Saw Shar gave malicious parties straightforward access to a trove of personal data. Lynn Htun explained, “There are vulnerabilities such as users being able to view, edit, and replace other users’ data simply by changing the last digits in the URL string. This goes to show no hacking skills were required to misuse the site and that the site and application lack the very basic security provisions.”
“For example, by simply replacing the photo, the malicious actors are able to print a new QR pass with users’ details attached with their own photo to impersonate [other citizens],” Lynn Htun said. “Our advice to the developers and operators of the site and application is to test the security provisions of the site and application during the UAT [user acceptance testing] phase before it is open to the public for general use.”
Most of Myanmar’s official websites are hosted in Singapore or within Southeast Asia, but Saw Saw Shar’s server is hosted in the US, according to a Whois query performed by KrASIA.
“The server behind Saw Saw Shar is hosted on Microsoft Azure Cloud. The decision has nothing to do with restrictions or regulations, but rather the developer company (MIT) is a reseller for Microsoft Azure,” Lynn Htun said. “However, the irony is that when you sign up for Microsoft Azure, you are not able to choose Myanmar (Burma) in the country drop-down list. In other words, Microsoft Azure is officially not available for purchase or use in Myanmar.”
This points to larger systemic problems, where the officials directing tech-based responses to the pandemic lack basic knowledge for the task. The cybersecurity expert added, “The impact of the server not being located in Southeast Asia ‘currently’ would mainly be latency and access issues. This is also due to the fact that the authorities do not understand basic principles of data privacy. Most of the ministers and members of cabinet are totally oblivious when it comes to the basics of data privacy, data sovereignty, and data classifications. This is the reason why MIT was able to get away with hosting the Saw Saw Shar app on Microsoft Azure cloud. Had the ministers understood even the very basics, this would not have been allowed to happen.”
At the time of this article’s publication, Saw Saw Shar’s website and app are back online.