CCC hacks digital "corona lists"

CCC hacks digital “corona lists”

August 28, 2020

Members of the Chaos Computer Club (CCC) discovered and reported several vulnerabilities in a widespread cloud system for hospitality companies. Several million sensitive data records were visible in corona lists and reservations. The database went back up to ten years. The cloud service has been informed and has eliminated the weaknesses according to its own information. The CCC recommends avoiding cloud solutions and advises collecting data where it is needed – in the restaurants.

The Chaos Emergency Response Team (CERT) is known to many as the medical and fire protection team at CCC events. But even when there are no events, CERT is always committed to the security of its surroundings.

Digital corona lists

During a joint restaurant visit, members of the CERT were asked to register on a digital “Corona list”. The host restaurateurs apparently wanted to make the mandatory data collection modern and uncomplicated – with the help of cloud software.

Their full-bodied promises about the security of the recorded data aroused suspicion and altruism in the CERT team. As expected, the system had an acute need for medical and fire protection measures by special forces from the CCC.

Over 87,000 corona data records and 5.4 million reservations

Various weaknesses made it possible to access a total of 87,313 corona contact surveys from 180 restaurants that actively used the system*.

In the affected system, however, not only corona lists, but also reservations, orders and cash register sales were saved. The cloud service advertises that it processes over 96 million euros in sales per month from 7.7 million customers and 600,000 reservations via the system*. Personal data of visitors is mainly recorded when making reservations and corona registrations.

Overall, access to 4.8 million personal data records from over 5.4 million reservations was possible, as confirmed by the cloud service*.

Data goes back over a decade

The CERT was astonished to find that personal data is stored in the system, some of which go back a whole decade. The cloud service sees itself as a “processor” and places the responsibility for deletion with the restaurateurs. In turn, they often didn't seem to be aware of this and understandably trusted the full-service cloud.

Multiple vulnerabilities

Lack of rights management

A faulty check of the access rights enabled full administrative access to all data stored in the system to be obtained in no time at all. Other errors in the API enabled users without special rights to access sensitive data that was not intended for your eyes. For example, Restaurant A was able to access the Corona data from Restaurant B.

Insufficiently protected passwords

Inadequately protected passwords could also be called up using a simple API request. The CCC's disaster control not only noticed hashes but also passwords in plain text. A modern hashing method was used for newer accounts. Nevertheless, over 25% of the passwords could have been recovered from their hashes in a sample. Trivial passwords like “1234” indicated the lack of an adequate password policy.

The risk of poorly protected passwords extends beyond the service concerned, because users often tend to use the same password for several accounts.

Generous ordering system

Have you ever waited in vain for the food you ordered in the past? Or did you get a spontaneous pleasure in a corner bar in Hamburg with 42 liters of beer? Maybe a Brazilian teenage girl just enjoyed the open API ... It made it possible without any further obstacles,

to see the menus of all restaurants and thus
initiate or cancel orders for third parties

Of course, bypassing all the restrictions set. Worldwide, limitless service!

Fast response from the cloud provider

All vulnerabilities found were confirmed by the CERT members Sophie, Martin, cwoomio, deinkoks, Lady_Raven, Metal_Warrior, Waveshaper, bubbling and cbro documented in writing and notified to the gastronovi operator with a request for rectification.

In a swift reaction, gastronovi confirmed all reported weaknesses and began immediate treatment. On the advice of the CCC, the immediate life-saving measures are now also followed by a detailed system diagnosis by trained specialists.

CCC advises against using digital “corona lists”

According to gastronovi, the reported weaknesses have now been cured. Similar weaknesses have also been found in the systems of other cloud services.

“Denken first, digital second”, comments Linus Neumann, spokesman for the Chaos Computer Club. “Many digital corona lists were knitted with a hot needle and make data protection promises that are difficult to keep. The security of a paper system, on the other hand, is easy to assess, even for laypeople.”

Established cloud services have often only hastily “converted” existing systems instead of specifically dealing with the security and data protection requirements of contact tracing.

“The sensitive data will then not end up at the restaurant, but in a large pile somewhere on the Internet, where they will wait for interested hackers for the next few years.”

Recommendations for visitors

If your preferred restaurant insists on cloud recording, we recommend new culinary adventures in other establishments.

However, even with paper-based recording, the CCC recommends setting up a separate pseudonymous e-mail address just for this purpose. For example, many free service providers allow incoming messages to be forwarded to the actual email address.

Fifteen minutes of effort ensure data economy is minimized without the risk of missing an important warning.

Recommendations for safe collection

The Chaos Computer Club generally advises against digital corona lists – especially if they save their data in a cloud instead of in the restaurant.

We also use the following paper system in our own hackspaces:

Each visitor or group receives a separate slip of paper to record so that the data of other guests cannot be viewed.
The completed slip of paper is thrown into a locked mailbox to protect it from prying eyes.
This is emptied into an envelope at the end of the day, which is labeled and sealed with the date of the day recorded.
The sealed envelopes are kept in a safe place.
Every day an envelope that has expired is safely destroyed – and a new one is added.

Recommendations to the legislator

The goal of being able to inform visitors quickly in the event of an incident is legitimate and important. Still, a number of unnecessary problems were placed in the way of the endeavor

There are increasing numbers of cases in which the lists have been misused for police investigations. Such measures motivate visitors to enter incorrect data in the lists.
The legislator sees no reason to put an end to this misuse of data. This further undermines the low level of trust that remains.
In many facilities the lists are openly available, which raises concerns about unwanted contact by other guests.

Carelessly lost trust can now only be regained through clear legal regulation.

* The marked information has been confirmed in writing or specified by gastronovi