{"id":2342,"date":"2020-06-19T16:24:37","date_gmt":"2020-06-19T16:24:37","guid":{"rendered":"https:\/\/filter.watch\/en\/?p=2342"},"modified":"2020-06-22T09:57:00","modified_gmt":"2020-06-22T09:57:00","slug":"data-insecurity-on-irans-localised-internet","status":"publish","type":"post","link":"https:\/\/filter.watch\/english\/2020\/06\/19\/data-insecurity-on-irans-localised-internet\/","title":{"rendered":"Data Insecurity On Iran\u2019s Localised Internet"},"content":{"rendered":"

With our ever increasing dependency on online and digital services, there has been a global rise in the number of data leaks, leaving users and businesses more vulnerable to cyber attacks.\u00a0<\/span><\/p>\n

This problem is no different in Iran, which has experienced a series of major data leaks in recent years. A particularly significant data leak\u00a0 incident took place in March this year, when the data from 42 million Iranian Telegram users was leaked online, a figure that could represent up to half of the country\u2019s population. Within days, yet <\/span>another<\/span><\/a> data leak affected the \u2018Sib\u2019 app, with the leaked data from the reportedly being posted online for sale for $500. <\/span><\/p>\n

So far, the response from Iranian authorities has been inadequate, failing to take actions to prevent similar leaks in the future or to safeguard users that have found their sensitive data readily available online against potential online attacks.\u00a0<\/span><\/p>\n

We believe that Iranian internet users are made particularly more vulnerable to these data leaks due to two facts that persist in the landscape of Iran\u2019s internet policy: lack of comprehensive and meaningful data protection frameworks in Iran, and a far-reaching internet localisation agenda implemented under the National Information Network.\u00a0\u00a0<\/span><\/p>\n

In this edition of Filterwatch, we examine a number of recent major data leak incidents in Iran, the effects of the National Information Network on online privacy and data protection, and outline the steps that need to be taken by policy-makers and tech companies in order to protect Iranains from similar leaks in the future.\u00a0<\/span><\/p>\n

How was the Data Leaked Online?\u00a0<\/b><\/p>\n

On 31 March it was <\/span>revealed<\/span><\/a> that data from 42 million Iranian Telegram users had been leaked online. According to security researcher Bob Diachenko, the data was posted online by a group known as <\/span>Samaneh Shekar<\/span><\/i> (\u2018Hunting System\u2019). The data was posted as a cluster on Elasticsearch \u2013 an open source search engine for data and analytics \u2013- and did not require a password or authentication to access.<\/span><\/p>\n

The data remained exposed online for 11 days before it was reported to the hosting provider by Diachenko, and the Elasticsearch cluster was eventually deleted on 25 March. According to Diachenko, after contacting MAHER \u2013 Iran\u2019s computer emergency response team \u2013 the server for Hunting System was taken down. However, before the data disappeared, it had already been accessed and posted on at least one other hacker forum, and was being sold online.\u00a0<\/span><\/p>\n

The data set is described as containing 42 million user data records originating from Iran, including account IDs and usernames, phone numbers, and hashes (unique codes relating to the accounts stored on the server).\u00a0<\/span><\/p>\n

In a statement, Telegram announced that the leaked information was scraped from two popular \u2018forked\u2019 versions of Telegram known as HotGram and Golden Telegram (also known as Talagram or Telegram Talaei). The two apps were created using Telegram\u2019s open source code following the <\/span>blocking<\/span><\/a> of the official Telegram app in 2018, and were believed to have ties to Iran\u2019s security and intelligence organisations. We previously raised concerns about the two apps\u2019 <\/span>security<\/span><\/a> when they first emerged. The servers for the two apps, based inside Iran, were <\/span>\u201cturned off\u201d<\/span><\/a> in June 2019 by their developer company.\u00a0<\/span><\/p>\n

Telegram\u2019s statement has not been independently verified. Some <\/span>reports<\/span><\/a> also suggest that the leaked data include user account details \u201cassociated with active users of the official Telegram app\u201d, and that user records were \u201caccessed as recently as March 2020\u201d.<\/span><\/p>\n

Those whose data has been leaked are now said to be vulnerable to phishing and SIM swap attacks, and the leaked information can be used to target these accounts.\u00a0<\/span><\/p>\n

Further <\/span>investigations<\/span><\/a> reported that the server was registered under the name of Manouchehr Hashemloo, who was using the same email address as a well-known Iranian hacker known as ArYaIeIrAN. The hacker is said to be associated with a government-sponsored hacking group known as Charming Kitten, which has previously been involved with operations targeting activists and journalists.<\/span><\/p>\n

Iranian Government's Inadequate Response<\/b>\u00a0<\/span><\/p>\n

The authorities\u2019\u00a0 responses to the data leak were wholly inadequate, as various organisations failed adequately to prioritise the security and safety of those whose data was compromised. Standard response practices were not followed, and potentially at-risk individuals were not notified. The developers behind the two apps \u2013 Smart Land Solutions \u2013 appear to have offered no reaction.\u00a0<\/span><\/p>\n

On 31 March - the same that the data leak was made public - Amir Nazemi, Deputy ICT Minister and Head of the Information Technology Organisation of Iran, <\/span>tweeted<\/span><\/a> that the website named \u201c[Samaneh] Shekar\u201d, hosted by an Iranian company known as Raspina, has been identified and was being reported to the prosecutor\u2019s office for legal proceedings. A day after Nazemi\u2019s tweet, Raspina <\/span>denied<\/span><\/a> providing hosting services to the website, stating that it only provided co-location services.\u00a0<\/span><\/p>\n

In another <\/span>tweet<\/span><\/a> on 1 April, Nazemi sought to address those questioning the lack of action about the incident stating that according to the Supreme Council for Cyberspace\u2019s (SCC) 44th resolution, Iran\u2019s Cyber Police (FATA), is responsible for dealing with data security issues in the private sector.\u00a0<\/span><\/p>\n

MAHER also <\/span>published a statement<\/span><\/a> addressed to government organisations and business owners. In the statement they blamed the data leaks on unsecure or low-security data clusters. MAHER further announced that from March 31 it had begun observing any unsecure data banks and would notify their owners (should they be identifiable). It was added that if the issue was not rectified by those responsible after they were notified, they would be referred to the prosecutor's office.\u00a0<\/span><\/p>\n

However, MAHER reiterated that the SCC\u2019s resolution for \u201c<\/span>National System for Prevention and Combating Incidents in Cyberspace<\/span><\/a>\u201d referred incidents relating to private businesses (such as apps or private banks) to Iran\u2019s Cyber Police (FATA).\u00a0<\/span><\/p>\n

FATA has made no public statements about the data leaks, nor provided any information about if and how victims of the data leak would be notified. Also significant is the fact that the developer company for the two forked Telegram apps, Smart Land Solutions,\u00a0 has not reacted to the incident nor been held accountable by FATA or other authorities. Some have interpreted this as a further indication that the apps were linked to the government.\u00a0<\/span><\/p>\n

Iran Does not have a Data Protection Framework\u00a0<\/b><\/p>\n

The response from the Iranian government and relevant authorities towards data leaks has been disjointed and inadequate. It has failed to identify how or who was behind the data leak, or to make a statement on how subsequent threats to users will be appropriately addressed. Iran\u2019s total lack of comprehensive or meaningful legal data protections for users is a primary contributor to the lack of action in this situation.<\/span><\/p>\n

The only attempt so far to <\/span>introduce<\/span><\/a> data protection measures was made in 2018, when the ICT Ministry introduced the draft \u201cData Protection and Online Privacy Bill\u201d. This bill has failed to make any progress since it was sent to the Cabinet for approval in 2018, despite the fact that its provisions prioritised internet localisation over user security. A few other pieces of legislation such as the Computer Crimes Law (CCL) (2009\/2010) and the Electronic Commerce Law (ECL) (2004) make limited reference to data protection and privacy, but are very limited in scope and application.\u00a0<\/span><\/p>\n

The CCL, for example,<\/span> sets out<\/span><\/a> criminal penalties for defamation and theft of data \u201cbelonging to others\u201d. Article 1 criminalises \u201cillegal access\u201d to computer and telecommunication systems \u201cprotected by security measures\u201d, but fails to define \u201csecurity measures\u201d and appears only to apply to government data and not to individuals or non-governmental bodies. Further provisions of the CCL prohibit the implementation of basic security measures, rendering users vulnerable to data leaks as well as surveillance. Article 10, for instance, prohibits \u201cconcealing data, changing passwords, and\/or encoding data that could deny access of authorised individuals to data, computer and telecommunication systems\u201d. It is worth noting, however, that we have not yet observed the enforcement of this article in practice.\u00a0<\/span><\/p>\n

The ECL contains some privacy and data protection provisions, however, these only apply to online commerce and transactions and do not have wider da. These are consequently insufficient to address the complex issues of the right to privacy online and data protection raised by general data leaks.<\/span><\/p>\n

While the \u201cData Protection and Online Privacy Bill'' remains dormant, the SCC has adopted other concerning measures that drastically depart from the principles of data protection and privacy. In August 2019 the SCC approved the text of the \u2018Digital Identity Verification Resolution\u2019, which was <\/span>published<\/span><\/a> in October 2019.\u00a0<\/span><\/p>\n

Some of the resolution\u2019s main objectives are:\u00a0<\/span><\/p>\n