IAF sign MoU with Uber, image via its official X handle

Indian Air Force signs MoU with Uber: Security concerns, data breaches faced by the ride-sharing app and a lesson from Strava

The multiple data breaches faced by Uber in the past 10 years primarily puts the MoU between the ride-sharing app and the Indian Air Force at risk.

by · OpIndia

On Thursday (17 Oct), the Indian Air Force (IAF) signed a Memorandum of Understanding (MoU) with the ride-sharing app Uber to offer exclusive benefits to serving Air Force personnel, veterans and families.

The development was confirmed by the IAF on X (formerly Twitter). The MoU was signed by Air Vice Marshal Updesh Sharma and Abhinav Mittoo, the senior country General Manager of Uber, to facilitate travel of Air Force personnel and their families.

“The collaboration with Uber represents an important step in the journey towards enhanced mobility solutions for Air Force personnel and families,” the IAF said in an official statement.

At the same time, Uber stated, “We are proud to partner with the Indian Air Force to enhance mobility solutions… This partnership marks a significant step towards digitalisation by adopting shared mobility solutions. Through this MoU, we aim to support the Indian Air Force’s broader vision of leveraging technology for transformative progress”

The IAF is reportedly going to use the ride-sharing app’s tailored enterprise version to facilitate official travel and daily commutes of serving personnel, veterans and their families.

It remains unclear at this point whether the Memorandum of Understanding (MoU) between Uber and the Indian Air Force is legally enforceable in a court of law.

MoU sparks concerns of the public, veterans and experts alike

The MoU has raised concerns about possible compromise of data, location tracking risks, and sharing and access of sensitive information by third-party apps.

Lieutenant General (retd) Kanwal Jeet Singh Dhillon cautioned, “Someone needs to have a serious relook here…You are practically geo-tagging every Air Force personnel, making them vulnerable for live tracking @IAF_MCC. Jai Hind”

Army veteran Major Madhan Kumar tweeted, “If the exclusive benefits is based on a promo code , it means the UBER will have the access to @IAF_MCC personnels name , their contacts, phone no, email I’d & location. Data security in #India ?”

Independent journalist Saikiran Kannan outlined key problems surrounding the MoU between Uber and the Indian Air Force. These include challenges of sensitive data exposure on breach of Uber’s systems, profiling of IAF personnel and tracking of their movements.

At the same time, Uber may be targeted by state-sponsored hackers and compromise of information can lead to disruption of military intelligence and operations.

Journalist Rohit Vats highlighted that if the IAF personnel were to receive coupon codes, then, Uber could use them to create a separate database of such users and their families.

“Depending on the usage rate, over a period, you can have a very large database of numbers tagged as ‘IAF’.Location of mobile number = location of the IAF personnel, or his family. If you go one step further, by hacking into telecom database, external actors can correlate mobile number(s) with exact name of the person,” he cautioned.

Vats further added, “What happens next? Targeted malware into the phones of IAF personnel, tracking their movement, hacking their phone database and information etc. Sky is the limit!”

Uber and its history of data breaches

The ride-sharing app has faced multiple data breaches over the past 10 years and was even found guilty of concealing some of those breaches.

2014: Unknown hackers accessed over 1 lakh names and their driving license numbers of Uber users. They also downloaded information about the bank accounts and domestic routing numbers of 215 users.

2016: Uber was breached by 2 attackers, named, Brandon Charles Glover and Vasile Mereacre. The duo was able to access the personally identifiable information of more than 57 million users. The attackers then sent ransom mail to the ride-sharing app and informed that they had access to Uber’s database.

Chief Information Security Officer (CISO) Joey Sullivan paid the duo $50,000 to delete the compromised data and not disclose the breach. Sullivan kept it under cover and withheld information from other Uber employees and the Federal Trade Commission (FTC).

He later pled guilty to one count each of obstruction of justice and Misprision of a Felony and was sentenced to 3 years probation. Uber was fined $148 million for hiding the data breach.

2022: A hacker bought stolen credentials of an existing Uber employee from the dark web. He then attempted to access the network of the ride-sharing app but the account was protected by Multi-factor authentication (MFA).

He contacted the Uber employee through WhatsApp and impersonated a member of the security team. The hacker kept on pestering the employee to approve the login notification.

When the employee gave in, the hacker had access to the entire Uber network. He then hacked an employee’s Slack account and announced the data breach. However, he did not do anything and simply ‘walked away.’

Strava heatmap episode: A case study

In January 2018, a fitness tracking app called Strava was found publicly displaying a heatmap of exercise routes followed by military personnel of the US, UK and Russia in different bases of the world.

Strava used a mobile phone’s GPS to track the exercise activity of its subscribers. It collects the data and provides insights on one’s performance and concerning others.

The said heatmap, generated from data aggregated between 2015-2017, showed the jogging routes of active military personnel in Syria, Afghanistan, Taiwan and the Falkland Islands. The major security concern was first raised by Nathan Ruser.

Strava was able to access the data since the military personnel had shared their location data with the fitness tracking app. While the location of military bases is often public knowledge, the common routes taken by soldiers are not available publicly.

The app also showed routes where the military personnel underwent light training and heavy training, besides the ones used by aid workers and NGOs in remote areas. The information could have been exploited by hostile governments, secret agencies and terror outfits.

While speaking to BBC, defence correspondent Jonathan Marcus noted, “Each piece of evidence is a fragment, but when added together it could pose a significant risk to security – in this case highlighting the location of formerly secret bases or undisclosed patterns of military activity.”

The multiple data breaches faced by Uber, and the security compromise on the part of Strava highlight the need for better data protection. The MoU between the ride-sharing app and the Indian Air Force (IAF) is thus fraught with risks.

Note: OpIndia has written to the Indian Ministry of Defence, Indian Air Force and Uber. The article will be updated once we receive a response from them.