Thanks to Sophos security expert Petter Nordwall for his help with this article.
You know when you call a helpline and a cheery voice advises you that your call may be recorded for a variety of reasons, all of which are supposed to be for your benefit?
Have you ever wondered what happens to all those recordings?
Could something you said confidentially on the phone back in 2014 – personal and private information disclosed during a call to an official medical advice line, for example – suddenly show up in public in 2019?
As millions of people in Sweden are suddenly realising, the answer is a definite “Yes”.
One of the subcontractors involved in running the Swedish medical assistance line 1177 (a bit like 111 in the UK – the number you use for urgent but not emergency medical help) apparently left six years’ worth of call records – 2,700,000 sound files in WAV and MP3 format – on a server that was openly accessible on the internet.
All you’d have needed was a web browser to scroll through and download years of confidential calls.
Ironically, according to Computer Sweden, which published a short video showing a browsing session wandering through the the server’s contents, the offending files were available unencrypted over port 443 from a server in Sweden. (The server is now offline.)
To explain.
Web connections need an IP number and a port number to denote the specific service they want from a specific server.
Port numbers are a bit like phone extensions: the main phone number connects you to the front desk, and the extension denotes the specific person or department you want to get through to.
There are thousands of commonly used port numbers – by convention, for example, mail servers listen on port 25, unencrypted web connections (HTTP) on port 80 and encrypted web connections (HTTPS) on 443.
In fact, HTTP and HTTPS are so commonly aassociated with 80 and 443 than when you write a URL such as http://example.com/
, it’s taken as shorthand for the more specific web link http://example.com:80/
, where the port number is included explicitly in the URL.
Likewise, https://example.com/
is shorthand for https://example.com:443/
.
This shorthand almost always works because almost every server that supports HTTPS does so by listening for incoming network connections on port 443.
In this case, however, Computer Sweden reported that by making a regular, unencrypted HTTP connection to the server mentioned above, but using port 443 instead of the usual port 80, the entire contents of a directory tree called /medicall
could be viewed.
As far as we can see, the calls were conveniently split out into browsable subdirectories like this…
. . . /medicall/2016/01/01 /medicall/2016/01/02 . . . /medicall/2017/06/01 /medicall/2017/06/02 . . . /medicall/2019/02/01 /medicall/2019/02/02 /medicall/2019/02/03 ...
…and so on.
From the video, the most recent call that was exposed seems to have a datestamp of 2019-02-18T08:59, which is just over 24 hours ago at the time of writing.
The earliest datestamp visible in the video goes back to 2014-02-25T10:24, although that file is rather confusingly in a directory named /medicall/2013/04/09
.
According to a follow-up report from Computer Sweden, the unsecured server also contained information about calls relating to medical transfers – essentially, non-emergency ambulance trips.
What next?
Swedish politicians are, understandably, unimpressed, and the Swedish Data Protection Agency is investigating.
This is a huge breach of public trust, and is probably the biggest test so far of the recent GDPR legislation (General Data Protection Regulation) in the European Union.
GDPR was put in place to force companies to think about security proactively in the hope of avoiding breaches, and is geared toward prevention rather than punishment.
Nevertheless, in most EU countries, GDPR permits significantly harsher punishments than any previous legislation, with fines that can go as high as €20,000,000 or 4% of company turnover, whichever is greater.
In this saga, it looks as though there are several levels of contract and subcontract – as far as we can tell:
- The Swedish public service contracted company X to handle calls to the 1177 number.
- X subcontracted M1 to handle three of the most populous regions in Sweden.
- M1 subcontracted M2 – a Swedish-owned company in Thailand – for overflow and after-hours cover.
- M2 used call centre software supplied by V, whose cloud storage was hosted back in Sweden.
- V’s servers hosted the open-to-anyone voice files.
Where the buck stops in this case, and who will bear the ultimate responsibility, remains to be seen.
What to do?
If you called 1177 in the past few years in Sweden, you may be at risk, but it may be impossible for the IT companies involved ever to find out how many records, if any, were stolen and abused by crooks.
So far, it looks as though only calls made in the Stockholm, Södermanland and Värmland regions were affected – in those regions, a Swedish-owned company in Thailand was subcontracted to handle overflow and after-hours calls, and it looks as though only calls answered in Thailand are part of the breach.
Sadly, therefore, there isn’t much you can do except to wait and see what emerges next from the investigations that are currently under way.
More generally, our advice is as follows:
- If you’re in Sweden, check the official 1177 website (1177.se) for news about your region. Not all regions of the country were affected, and not all calls in the affected regions were included in the breach.
- Consider sticking up for your right not to have your calls recorded. Unfortunately, you may end up waiting longer to be served, given that you often have to wait until a human comes on the line before you can formally opt out. (If sufficiently many of us demand not to be recorded every time we call any sort of helpline, we may eventually make the point that call recording should really be opt-in, not opt-out.)
- Consider how you archive recorded data, including audio and video. With no financial incentive to re-use existing recording tapes, as we used to do in the analog era, it’s easy to let old data pile up indefinitely, just in case. But do you really need years’ worth of private data available online, in real time, in bulk and unencrypted?
- Consider using penetration testing services to look for leaks. Don’t wait until a hacker or journalist comes knocking and finds your badly configured web server listening on a port you forgot about. If you do make a cybersecurity blunder, aim to be the first to find it so you can close it before any harm is done.
Tommy
I will try to loosely translate the response from the good folks at 1177 without the incompetense getting lost in the translation. This is the CEO of the the company that delivered the systems in question: “We don’t know when it happened, during an update someone has simply connected an internet cable to the harddrive. Then it got an IP address, and then it was green light”, “For some reason it have gotten a little cable connected to internet”, “This server is a so called “network attached storage”, NAS. Similar to a big tape recorder”. There are a few more laughable comments from the CEO in the same spirit but this should be enough to get the gist of it.
jet86
Small typo at the end: “pentration” should be “penetration” ;)
Paul Ducklin
Fixed, thanks!
Patrick
And to put those statements in perspective. That was “The little hard drive that could” register at least two different A-records in DNS with “nas” in the name. Shodan has records of the service being up since 2016…
Mary
Sound advice. However, sticking up for not having your calls recorded is difficult when there is no such option, no matter how long you wait. Neither you, nor the nurses that answer the calls can opt-out from recording.
If I remember correctly the caller doesn’t even get any info that the call will be recorded.
Explicit info, including that all calls are recorded is provided [on the 1177.se] site(in Swedish). I guess it’s assumed that everyone has read that before calling…
Paul Ducklin
I guess I can see why a service like 1177 would want to record calls – but if you can’t opt out, how much more important that the recordings not be left lying around for years on a third-party NAS server…