In recent months, Israel’s health and education ministries have been promoting a coronavirus testing program in the country’s schools in an effort to spot and curb any new outbreaks of the virus in the schools.
Dubbed Magen Hinuch, “education shield” in Hebrew, information security researchers have now found that the program inadvertently exposed confidential information pertaining to students and parents, including medical information.
The purpose of the program appears entirely appropriate, but suspicions arose after the parents of students at the school attended by the daughter of Noam Rotem - one of Israel’s better known ethical hackers - received information from the school about the program. Some of the parents became suspicious, among them the co-host of Israel’s Cyber Cyber podcast on all things hacking.
The parents’ suspicions were soon borne out when it was discovered that information of thousands of students who were tested as part of the program could be obtained by outsiders with relative ease.
Cyber Cyber and Haaretz also discovered that the contract to run Magen Hinuch had not been issued by either ministry through an orderly bidding process. It was actually an offshoot of another program that the Health Ministry had approved. And despite being an offshoot, the program has the potential to expand dramatically, despite its flaws and with little oversight.
The program’s security breach was initially discovered by Ilya Kanterman, a quality assurance specialist, who immediately reported it to the National Cybersecurity Authority and then to Rotem and his co-host at Cyber Cyber, Ido Kenan. He discovered that the application programming interface used by the AMN group firm Target Market, one of the companies that was awarded the job of running Magen Hinuch, was wide open to anyone who wished to access it. The API - the interface that helps developers work with other systems - was the origin of the flaw.
- Iranian attack on Israeli medical orgs proves there’s no vaccine for the cyber pandemic
- ‘It fell off the truck’: Encrypted message app Signal gets revenge on Israel’s Cellebrite
- Iranian accounts, Russian tactics and Q: Israel has become a disinformation battlefield
“It tells them which parameters need to be sent and what they need to see to get [output] back,” Rotem said in explaining what an API does. But when an API is exposed and the system doesn’t have other means of protection, hackers can easily use it to extract data from a system at will.
Rotem and data researcher Ran Locar examined the API and discovered that, through the use of a command designed to collect data they could access the complete list of institutions participating in the program.
And it wasn’t just information on the institutions themselves. The pair tested another command and found that they could also access the data of thousands of students, including their I.D. numbers, full names, grade level and class number and their parents’ full names.
Beyond that, the system gave them access to the students’ medical status: whether they were vaccinated against the coronavirus, whether they were healthy and whether they had refused a COVID test.
After it became clear the extent to which data from Magen Hinuch was exposed, the researchers immediately informed Shaul Ben-Shushan, the Education Ministry’s cybersecurity director.
Ben-Shushan was himself shocked to learn about the system’s existence and told Rotem that it had never undergone an information security approval process by the Education Ministry. If it had been inspected by the ministry, it would have never become operational, Ben-Shushan said, certainly not with the official sponsorship of the Education Ministry.
And then comes the strange bureaucratic twist in this cybersecurity saga: While the parents details were exposed online, Rotem and his colleagues as well as this reporter had trouble finding something else that should actual be online – information on the bidding process for the creation of such a wide-ranging Education Ministry program. Hours of online sleuthing revealed that this program is but an offshoot of another Health Ministry project – Magen Avot v'Imahot, which was primarily designed to carry out coronavirus testing at retirement homes and other nursing facilities.
The request for bids for that project was an effort to find an alternative to expensive testing by the Magen David Adom emergency medical organization. There were in fact two successful bidders for the project, including Target Market from the AMN group.
For the most part, Target Market is involved in event production, including for example the 2020 Independence Day torch-lighting ceremony, a conference sponsored by the Israel Hayom daily on U.S.-Israel relations and the Jerusalem marathon. It is also engaged in project management and sales distribution, but recently it began offering coronavirus testing services to companies in conjunction with the Sheba Medical Center at Tel Hashomer.
According to documents on the Health Ministry website, Magen Avot v'Imahot was designed to provide coronavirus testing to more than 89,000 people at more than 1,300 institutions. By contrast, according to data on the Education Ministry website, there are more than 1.8 million students attending elementary and secondary schools in Israel. But the invitation for bids to run the program aimed at seniors lacked any reference to plans to expand the program to the entire education system and youths.
The only reference to a possible expansion of the program gives no indication of such a major plan: “The [medical] sampling will be taken for the most part at nursing institutions as part of the Magen Avot v'Imahot program, but the bid committee has the option of approving and asking the supplier to conduct other sampling as needed that cannot be foreseen at the time of the invitation for bids, including a drive-through testing facility and/or sampling at a site to which those being tested would be invited and/or the supplier would come to a site to which the ministry directs to collect samples and/or the supplier would carry out sampling at a special facility (such as drive-through),” the document states in part.
When asked by Haaretz for comment, the Education Ministry said that Target Market “works with the Health Ministry and therefore a response should come from them,” meaning the Health Ministry. When Haaretz then noted that the Magen Hinuch program is run through the Education Ministry’s school system, the ministry said it was not involved in the program.
The Health Ministry did not respond to messages from Haaretz.