2 min

Security researcher John Wethington found a database of a smart city that could be accessed via the internet without a password. Wethington sent the details of the database to TechCrunch, hoping that the data would be secured again after publicity.

This is an Elasticsearch database with gigabytes of data, hosted by the Chinese tech giant Alibaba. The database contains scans of facial recognition of hundreds of people, made in several months. The client’s database – which was not disclosed by Alibaba – made several references to the cloud platform City Brain, which is driven by artificial intelligence. However, Alibaba denies that his platform was used.

Alibaba also states that the customer has been informed of the problem. “As a public cloud provider, we do not have the right to open the content in a customer database,” said a spokesperson. Just after TechCrunch contacted Alibaba, the database was taken offline.

Smart city

Before that time, however, the online medium was able to view the content in the database. The smart city system monitors the residents around at least two small communities in the east of Beijing. The biggest one is Liangmaqiao. The system consists of multiple data collection points, including cameras designed to collect facial recognition data.

The exposed data contains enough information to determine where someone went, when it was and how long it was. Anyone with access to the data – including the police – can thus get a picture of a person’s daily life. The database processed several details of faces, such as whether someone’s eyes or mouth were open and whether they were wearing sunglasses. In addition, the database contained the estimated age of a person and whether that person is “attractive”.

However, the system also uses facial recognition to determine and label a person’s ethnicity. These include Han Chinese, the largest ethnic group in China, and Uyghur Muslims, a minority who are persecuted in Beijing.


In addition, the system collects data from the police. That information is used to detect suspects. According to TechCrunch, that suggests that it’s the system of a government agency. Every time someone is detected, a warning is given with the date, time, location and a corresponding note. Many of the data that TechCrunch could see contained the names and number of a suspect’s identity card.

Much of this data also contains a reason why someone is being followed. It may be someone who is addicted to drugs, or someone who has just been released from prison.

In addition, the system can track WiFi-enabled devices, such as telephones and computers, using sensors in the district. The database collects the data and times that come through its wireless network radius.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.