The Telangana Police TS-COP Breach could have been worse

The Telangana Police networks have been hacked by a threat actor who goes by the name of Adm1nFr1end on BreachForums. The threat actor has been selling access to both citizen data and internal police data.

It shared only a few data modules inside these complex policing network systems. The breach could have been much worse because the Telangana Police networks were full of security loopholes and had no major security practices.

While the mobile application TS-COP is not directly available for anyone on Google Play Stores, private distribution of Android package files (APKs) is easily available on malware analysis platforms like Koodus.

The breach indicates the police department has completely ignored conducting security audits or even having basic oversight over the system integrator.

The app’s developers and system integrator WIN C IT Services have clearly ignored basic security practices by embedding plain text passwords to access several third-party and internal policing systems. WIN C IT Services was registered in 2017, and the TS-COP was announced by the police in 2018. For a company that was registered just a year ago, winning a police contract this big is unusual.

While the threat actor has only announced basic details of the breach, every technical system of the Telangana Police has been shut down for maintenance. From e-challan portals to the TS-COP website, everything is down, indicating the police shut down their entire network. While the police have not issued any formal statement on the breach, their actions indicate they are taking it seriously.

TS-COP is an app built on top of the Crime and Criminal Tracking and Networks and Systems (CCTNS). This means TS-COP allows police to access a series of criminal databases and computer systems. This includes access to FIRs, criminal profiles, facial recognition systems, CCTV cameras, cell tower information, and information from other state police departments. Thus, a breach of the Telangana police network won’t just leak information about the state police but also other state police departments.

The TS-COP cop app enables real-time policing for Telangana police by allowing them to access real-time information. The application is networked to several third-party service providers that provide surveillance services to the Telangana Police.

Some companies, like Zebi-chain, provide real-time access to hotel check-in data across Hyderabad. Other service providers, like Verify 24*7, provide criminal record-checking services to the police department.

The threat actor seems to have breached not the entire network but a few key portals, including the Tscop portal, Telangana police SMS service portal, and the Hawk-eye app databases. The threat actor’s posts suggest that he had access to the Telangana police’s internal systems. However, the scale of the attack could have been much larger given the number of vulnerabilities in how this centralised surveillance system is designed.

This breach indicates the larger systemic issues in our policing systems and how critical information systems are designed. No publicly available information or manual exists about TS-COP and what this app does for the police department.

The police department has built a black box system that centralises all the information of every resident in Telangana, not just people with criminal histories.

The Criminal Procedure Identification Act 2022 allows the police to store criminal profiles and other personal information of anyone accused of a crime for 75 years. But the police have been extending this to every other individual and abusing these laws without informing the citizenry about their policing practices.

The breach of Telangana police networks indicates a larger problem in our society, where the police think they are above the law and can do whatever they want.

The centralization of this information without basic security practices indicates that anyone inside the police department can access all of our information and use it for different purposes, including spying on democratic opposition.

The timing of the breach, along with the recent investigation by Telangana police into how rogue intelligence officials have abused access to surveillance tools, should come as a cautionary tale to the public. But what actions will the police take to address several issues of cybersecurity, citizen privacy, the rule of law, and corruption among police that allow such large-scale applications to be built with zero accountability?

Unless the general public demands accountability of the police department, this abuse of power by the police will continue, including forcing broken software on the population.