The Chaos Computer Club (CCC) is Europe’s largest association of hackers. For more than thirty years they are providing information about technical and societal issues, such as surveillance, privacy, freedom of information, hacktivism, data security and many other interesting things around technology and hacking issues. Members of the CCC are often consulted by German politicians for digital topics.

Every year between Christmas and New Year they gather at a massive conference to discuss aforementioned issues and celebrate together a few days where they create their own hacker utopia.

This year, activists from the CCC seem to be fed up with politicians, who often do not follow the advice given by the white hackers and rather be corporate sellouts than care about internet security, data privacy and computer education.

Here is an (incomplete) summary of some of the most interesting talks from the congress:

The TAN-procedure used by many mobile banking apps is not secure

Vincent Haupert explains the importance of two-factor-authentication in secure online banking.

Although the-factor-authentication is implemented in online banking via TAN procedure, this method has been eroded over time. Now it is common to have an online banking app and the corresponding TAN-app on the same smartphone. Even worse we see a development of having TAN-requests implemented in the online banking app itself. Security in such apps is provided by something called “app hardening” which is often implemented by third parties.

This poses severe security risks, as this talk shows how such a system can be hacked by compromising the smartphone of the user (e.g. if that user downloads a compromised app).

Solution:

  • App hardening should be an additional safety feature and cannot be a replacement for true two-factor-authentication
  • Banks should start taking this seriously. Right now they claim there are no known instances of hacked accounts and therefore they don’t have to create a different system.

 

The infrastructure for electrical charging station is a security nightmare

Bad news if you are an owner of an electric car.

Fundamental security principles are not implemented in many charging stations:

  • They use the “Mifare” keycard-system that has been known to have security flaws for over a decade. Card numbers can be just copied and be used to create a clone of the card. “It’s like I am paying with a photocopy of my bank card at the supermarket and the cashier is accepting it” says security researcher Matthias Dalheimer.
  • The communication between charging station and the billing back end is also poorly secured. The card number is transmitted to the provider – without any encryption at all. This way, card numbers can be stolen and be used to create fake cards.
  • The charging stations itself have USB ports that can be used to feed code into the system. This way, card numbers from other people can be harvested.

What does that mean?

  • Hackers can charge their car while having other users pay for it.
  • Hackers can manipulate charging stations to pay nothing at all.
  • Owners of charging stations can manipulate the system to bill you more than you actually charged.

People responsible for the system ignore the matter and don’t want to fix the security issues.

 

A software for counting and analyzing votes was used for the German election in 2017 despite having several open security issues

In many parts of Germany a software called “PC-Wahl” is used to count votes.

The CCC identified massive security flaws in the software and corresponding servers. The used encryption was flawed, electronic signatures were lacking and the webspace used for updates wasn’t properly secured.

The CCC actually created an open-source-package addressing some of the security issues, but is was not use by the developing company.

 

Even though we hear that twitter is full of social bots manipulating the political discourse, the reality is that social bots are really hard to systematically identify

Data journalist Michael Kreil performed a twitter network analysis to answer the question: “How can we reliable identify social bots?”

  • A common method is to define a cutoff like 30, 50 or 100 daily tweets, and then simply state the rule: “Everyone who tweets more than that is a bot.”
  • A method proposed by researchers from the oxford university proposed that a social bot can be identified by posting more than 50 times with a certain political hashtag at an event.

These rules were investigated and shown to be not effective to identify bots.

A reliable method for automatically identifying bots is currently non-existent.

The impact of social bots, however, is probably overstated. Kreil argues that what we call “Fake News” are nothing more than Memes, that are shared excessively and have a huge reach. But they are probably not a threat to the political discourse.

 

China is about to implement a mandatory social credit system that aims to keep Chinese citizens obedient in 2020

Katinka Kühnreich told us about China’s newest attempt to create obedient citizens: A gamified online social credit system (SCS).

Social rating systems already exist in China, but in 2020 it becomes mandatory to use one if you are a Chinese citizen. Right now, there exist many different governmental SCSs in different regions. Additionally eight companies are  allowed to form private SCS (e.g. Ali Baba, Tencent)

Here is how it works:

The System uses big data and machine learning to create a score for each citizen of how good he or she is.

Ali Babas Social Credit System, for example, takes various online and offline data as input:

  • activity from your social media profile
  • data from  payments and products bought
  • data from authorities like courts, debtors registry
  • data from its dating app Baihe
  • and more…

So if you post an independent news article about the stock market collapse, your score goes down. If you share an article from the official state news outlet about how well the economy is doing, your score goes up.

Your Score has real world consequences: Higher scores make it easier to get the paperwork needed for traveling or getting a loan. Penalties for having a low score are being discussed by Chinese authorities, like lowering internet speed, or restricting the jobs you are able to hold.

Not only your own behavior affects your score, but also the score of friends in your social media network. Every score is public and can be seen by other citizens. The system tells you, if you have a friend with a low score, which is dragging your own score down.

We don’t know how the mandatory system will work, as the Chinese government doesn’t give any information to the public. But it is expected that every data input that is useful will probably be used.

Why is China doing this?

  • The system makes sure that deviant citizens are isolated by their friends by creating a system that „rewards“ positive (aka government-friendly) behavior, instead of using force and oppression, which risks sparking revolts.
  • China is a „transformation society“ and has massive social problems.
  • Social control has a long history in China.
  • Since China became a digitized society, it is only natural that control became digitized as well.

Can’t you just avoid the System by using fake names or other services?

  • You cannot use most services, or even make online comments, without true name registration.
  • digital payment methods are overrunning cash in China.
  • It’s almost impossible to evade the system, which means starting 2020, if you are a Chinese citizen, you have to play this game that defines your life (housing, job, school) and the life of everyone you know.

 

Internet-of-Things devices are a security nightmare

We have around 8.4 billion Internet-of-Things (IoT) devices at the end of 2017, unfortunately many of them have security flaws. Barbara Wimmer gives examples of how the internet of things went wrong:

  • There are many instances where botnets of hacked IoT devices sent spam mails or performed DDoS-attacks. For example, a university was attacked by a botnet, consisting of its own vending machine, smart light bulbs & 5000 other IoT devices.
  • A smart webcam, that was installed by a woman to keep eye on her dog, was someday following her instead of her dog and a voice said „hola seniorita“ over the integrated microphone.
  • Smart toys with cameras and microphones often have unsecured Bluetooth connections, which means that anyone with a smartphone, close enough, could connect with the toy, listen to the child and even speak to them over the toy.
  • The smart doll „Cayla“ even got forbidden in Germany by law. It is judged as a „prohibited broadcasting station“ and parents who do not destroy it will be fined.
  • Even Sex toy are hacked: a vibrator-controlling app records sounds made during sex and stores them on peoples phones, without their knowledge. More security research for sex toys can be viewed at „the internet of dongs“
  • digital assistants, like Google home and Amazon echo, collect a lot of data from you, which is sold in various ways to monetize that information. What happens to the data is completely non-transparent to the user. Additionally both devices already got hacked and have not proven secure.

As more devices come online the problem will only get worse.

Up till now, best is to stay away from IoT devices altogether, unless you made a thorough check on the security features of the device you want to buy. Otherwise you have to assume that it is not safe.

Solutions:

  • Currently, manufactures do not have to provide essential information about the security of their devices, such as how long it will it receive security updates. Making this information mandatory would be huge step forward.
  • A security star rating system (similar to energy labeling) for IoT devices would be beneficial for customers to quickly identify secure products.
  • Vendors should be forced to close security holes instead of ignoring them.
  • Vendors should provide us at least with an email-address where we can easily report security flaws.
  • Mandatory offline-mode for electronic devices should always exist.
  • Something equivalent to an airbag and seat belt for the digital age would be nice to help less tech-savvy users.
  • Product liability and clear update policy is needed.

In short: We need more regulation.

The Coming “General Data Protection Regulation” in May 2018 is already very helpful.

 

Xiaomi’s vacuum cleaning robot can be used to spy on your home

The vacuum cleaning robot “Mi Robot Vacuum” from Xiaomi uses a camera and a laser distance measurement device to create a detailed map of your home, that is saved on Xiaomi’s servers. All robots use the same initial password “Rockrobo”, which can be exploited by hackers to use the robot to spy on your apartment.

 

‘Electrical Impedance Tomography’ is a low cost non-invasive biomedical imaging method

Jean Rintoul presents a vision of a world where medical imaging is cheap and easily accessible. This would enable preventive scans as opposed to scans, just when something goes wrong.

Electrical Impedance Tomography is a new cheap technique that sounds promising.

  • Advantages: Cheap and good time resolution
  • Disadvantages: Low spatial resolution

The ‘Open Electrical Impedance Tomography Project’ is an open source project that aims to push this technology further to enable better spatial resolution and make this technology available to the developing world, which have no access to expensive imaging methods like MRI or CT scans.

 

The blockchain is a revolutionary technology but has some problems to solve in order to be really useful

Zooko, the founder of Zcash, talked about cryptocurrencies.

  • Bitcoin basically is a world ledger
  • Ethereum basically is a world computer

Both have scaling limitation.

  • Bitcoin can only do around 3 transactions per second
  • Ethereum can only run a limited amount of programs per second

Lightning Networks are an attempt to overcome the scaling limitations. Ethereum attempts to solve its scaling issues through something called ‘Sharding’, where they enable programs to be computed through serial processing.

For what have people been using blockchains so far?

  • Mostly Gambling…Okay okay, let’s call it „investments“ –  $500 bn at stake, $30 bn/day traded
  • Initial coin offerings (ICOs) (An ICO is a way for startups to get funding money by creating a coin on a blockchain and give it away to investors) – $5 bn in 2017 (Some real inventors, Many Scammers)
  • Retail (e.g. buying games on Steam) –  $1 bn/year (Now this is dead. Due to scaling issues you have to pay a transaction cost of 10-40$ per transaction, which makes it unpractical to use Bitcoin for retail)
  • CryptoKitties – ca. $20 M so far (This is a game where you can send each other digital kittens. All kittens are unique and you can breed two kittens with each other to create a new unique kitten. All kittens, and their family trees, are secured to be unique by the world computer Ethereum. It’s ridiculous to the point that the founder of Ethereum, Vitalik Buterin, threatened to leave Ethereum if people won’t use it for useful applications.
  • „Dark markets“ (drugs) – around $100 M/year

Current problems that need to be solved:

  • scale,
  • safety !!! (Total amount of coins that have been stolen: $10 billion in Bitcoins, $1 billion in ether)
  • not many applications (There will be probably more games in the near future)

Other interesting points of the talk:

  • Ethereum has a lot of coders trying stuff out on the network. This leads to  a network effect which is a very strong predictor of the success of a software platform or service.
  • Ambitious future tech is sprouting out of the blockchain, like ‘future prediction markets’ or replacing Uber through a blockchain service.
  • Top three countries in crypto trading volume are Japan, US and South Korea in that order.
  • In the US nobody knows what agency has the authority to implement some regulation for cryptocurrencies and there are dozens which are potentially responsible.

 

A questionable data bank used by banks blacklists innocent people denying them financial services

Faced with new responsibilities to prevent terrorism and money laundering, banks have built a huge surveillance infrastructure sweeping up millions of innocent people. An accidental leak granted a rare opportunity for journalists to examine a database used to make decisions affecting people and organizations all over the world.

The ‘world-check’ database is the gold standard for banks to check whether someone is trustworthy to pay credits back or suspected to do money laundering. The content of the list is secret.

Questionable sources like ‘breitbart’ and ‘stormfront’ are used for analysis to put a person on that database, which can lead to being denied getting a credit, or getting that persons bank account closed.

That resulted in innocent actors suffering including a mosque that had its bank account shut without explanation, activists blacklisted for a peaceful protest, and ordinary citizens whose political activities were secretly catalogued.

Reuters, who provides the data base, says responsibility for critical decisions (like closing a bank account) lies at the banks, while banks in general just trust the data bank without further research and therefore put responsibility on Reuters.