 is a certified RC3 Tile Shopping Ultra from Hamburg. When I'm calling him a really old member of the Hamburg CCC scene, that is not even enough. He is working on Freifunk, which you can see under hamburg.freifunk.net. He is operating tour notes and is also involved with Reclaim Your Face, which is written in one word.eu. Behind Public Transit 2.0 is something where he, because of a vulnerability, looked into the back end of one of those systems and so the stage is yours, can talk it. Welcome to my talk. Together we are going to look behind the scenes of Public Transport 2.0. The usage of the public transport needs to become easier. For example, if I want to get from A to B in Hamburg, then I need to choose my ticket before I want to ride and I also want the ideally the cheapest one. And I have the choice between various cards, one-day cards, individual cards, group cards, four-times cards, sometimes cards, maybe short distances, maybe long-distance tickets. And all of those are only valid for different zones within the city, between one and six rings. And I can also get some extension tickets. For this I need to know which exact zones or rings are relevant for me. Two of those are also relevant for time-ticket users and some of them are not even visible in this map. So if I don't even know before I want to take my ride, it's very improbable that I'm going to buy a week ticket, even though if maybe after the week it might turn out that it would have been cheaper for me to get this week ticket. The entire problem has a name. It's called a tariff jungle, which is called if the ticket and prices and fees for a service are very complicated. So we need an app that will direct us through this jungle and ideally works for multiple transport authorities and they have these systems that will enable you to use the transit system without previously buying a ticket. It will be evaluated after you ride what you used and some systems can also group multiple rides over a week and then the end of the ride is detected automatically. They also check in and check out systems or BNB out systems where you might not have to do anything during check-in and check-out. This is the IPO or maybe you need to do something in the app which would be the CICL system. So I've looked at the app from Osnabrück, which is called Yannick, which is supposed to make things simple and safe. So here we see two screenshots from the app. If I am at my starting station and want to climb to the bus, I will swipe the check-in button to the right, which means I am checked in and thanks to Bluetooth beacons it will automatically detect once I've jumped off the bus. The lines and stations are collected on the back end and also correlated to the smartphone's GPS data. How this looks could be looked into further using vulnerability in the system, in a development system, a pre-protection system, and now we'll have a look into it. I think this is going to be quite interesting. The entire process around the signaling to the authorities that the vulnerability was here was actually very good. So I have added a test user to the system and now we're going to log in. On the left side we have a menu where we will click through in a few minutes. Here you can see the number of successful requests within the last week and in the top right we can see that the test user has been added to a few groups and now we will change to the role of the city operational of Osnabrück. So now we will look at the ticket area and trips. So we'll see that all of the rights that have been taken on the 13th of November, we see a universal ID, the line of the bus line, the number, the names of start and end station. We can see in the stations that were passed and here we can only see that this ride on itself cost two euros and 70 cents. But we can also see that for the entire week an optimized price of 10 euros and 80 cents was calculated, which would be four rides. And for this we see in the second line, the light gray one, there was a week card for 18 euros and 70 cents calculated and the individual ride was 2 euros and 70 cents. It looks like maybe in the future or in a production system there might also be some fraud detection but that doesn't work in the system. And what we can also see here about the some information about the devices used, some Android and Apple devices and the version number of the app and some further info about the phones that were used. The exact operating system version and some information about the connection quality. What can also be displayed is various check-in and check-out events. For every ride that is taken one can see when exactly the manual check-in happened. In this sub-menu we can see the exact rides in an anonymized fashion. There is no pseudonym here but this is only which line was used, how long the ride was, how many stops there were in between and the beginning and the end which was rounded to full hours. And here we can also see for every registered user what time range also rounded to an hour they were active within the app. I can also display some information about the Bluetooth beacons that are distributed once. I can see the various vehicles and the IDs of the beacons that are deployed and using the sub-menus I can also display more information about each beacon such as the remaining battery life. And now we get to some more interesting stuff. We can see the suspect movements here. For the 11th of November I can see all the users that on this day used the system and in which hours they did and they were active. So for every user we have a line here in this table, a row and there are these published rectangles which are 24 individual lines and every line is representing one hour of the day and if during an hour the person was active the public transit then this line is colored in a certain way. So I see that some users take only one ride per day then we have a few that take two rides or three. And we have some user that I sought out who is doing frequent trips. There is an activity around midnight in this log as well as in the morning and afternoon, lunchtime to afternoon. So let's look at this more closely. Here we see some more detailed device logs and first in these rows we have various individual check-in and check-out events or be-out events. There is one just after midnight so two minutes and 24 seconds after midnight at which point a check-out apparently occurred was recorded and then for about seven hours almost seven hours there was nothing. So after a somewhat short night that person went back on their way and across the day there are further check-in and check-out events and in between probably when they changed at intersections there are so-called scan gaps and the first is just after seven o'clock where after 426 seconds the scan gap was noted. It gets more interesting if we project this onto a map where we get a better feel where the person had moved in the city. We see the check-in and check-out events which I can click on and I see an event from the 11th of November at 11 o'clock 11 minutes and 11 seconds when the person was checked in I can also seek out the stop-name so this is Sudhausen-Mitte in the Osnaburg region or in the city limits still and I can get further information from the other events as well. And there are a few other log messages that have been plotted here over time so the horizontal axis is time and this is a segment of about 24 hours and every dot represents a log message. There are bug and info logs in here as well and if I hover over these and any of these dots with the mouse I can get some more info. This as I said is not a productive system and so maybe the productive system has much less information than fewer events. Yes, and at the very bottom I see the various check-in and check-out events over time so the person for eight or nine times within the 24-hour period they were on their way eight or nine times and around midnight and starting again at seven up to around 2 p.m. and then a few further journeys up to sometime in the late night and in the line above, trip stops half us I can see the stops and intermediate stops of each journey as well. We'll zoom in a bit further now and look at one journey in more detail. Here we have mostly the blue line with probably the signal strength of the Bluetooth beacon the stronger blue line and the journey began just after 11 and ended around quarter to 12 whereas the last stop was noted at around 11.35 which we see in the half us line further above and at around 11.38 the person probably left the transport vehicle that's when the last element in the half us line occurs and also the blue line drops off and gets even more interesting if I plot all these log messages on the map too these are data about the same journey that we saw earlier the person left at 10.38 or it is 10.36 here so there is a one hour offset compared to the diagram above but this surely is the same journey and we see that the person left the vehicle we can see at which stop that occurred and the log message here shows that the person was probably within the vehicle with a confidence of 100 and we can then see where the person went on foot let's see the last item here this is from 10.48 so about 10 of 10 to 15 minutes the person was tracked although they had exited the vehicle much earlier and again here is a value that tells you what the person is probably doing which is to walk with a confidence of 100 again and just the same I can look at the other values that are plotted here that I mapped and see what the person was probably doing and the estimate here is that the person was on a bicycle the system isn't completely error free here and yeah the system sometimes itself says that it doesn't know what is actually happening but in particular what's interesting here is we don't just have the journey itself tracked quite precisely but also after the journey has ended for more than 10 minutes the GPS coordinates of that user were phoned home so if you use this get off somewhere and then get home within 10 minutes then the app knows where you live and that is quite well suited to let's say retain data on public transport use if you don't go home directly but stop off at a pub or bar or something then the app will notice that as well again the question is whether this only occurs in this development version or whether the productive variant logs this amount of data and stores it as well and it will also be interesting to know for how long these data are retained production I've shown an example here that didn't make clear that a single house was entered but I've seen other journeys where the person went to building quite quickly quite directly which apparently wasn't lived in by many people not many people lived and you could even notice how that person was moving within that building and here you see over which period of time the person was moving what speed was logged and what the accuracy the assumed accuracy was about these data and we also see the user device mapping and information on the selected tariff and more information about the trips or journeys that were happening within the same 24 hours by that same person at the very bottom we see on this map which journeys were registered with which intermediate stops and which journeys were built in the end and that gets me to the end of this small demo and finally I deleted my test user I then logged out and reported the vulnerability at the companies involved I can also add that I was surprised how much data this network in B out system wants to have in the city of Osnabrück exactly especially these GPS data for 10 to 12 minutes after the end of the journey that really surprised me if you are out and about in the city of Osnabrück please do ask the operator about your data I wonder if the whole thing can be possible in a previously respecting way surely it would be possible to build a system like this that would register and store much less data but what I find more interesting are other solutions you could come up with more easy tariff systems for example if a day ticket would only cost as much as two euros and would be independent of any tariff zones or rings or whatever for all journeys on that day then we would have gained a lot and public transport would have become much more attractive to many people and the idea of having a financed public transport financed by the community much more interesting we have a group called Einfach Einsteigen just hop on would be an English name for that they have suggested a concept for the city of Bremen in which a community financed public transport is described the way it could be so thanks for watching and listening and I'll now be available for your questions warm thanks to this for this fascinating talk to you and for your call in the end against the kind of division politics that divides Germany up into smaller and smaller units which has been preserved through German history and is now visible in the kind of patchwork on entire systems that we have I really have to calm down as far as privacy is concerned and the findings that you've given us here the small joke that I prepared if you maybe found an API function to get us a few free tickets maybe it loses insignificance if we look at what you have provided us with here and try to deal with that there is there are a lot of questions thanks to the signal angels who actually divided the questions into categories for me the first question that I really I'm interested in and maybe others too is which companies are involved in this development in this system well that's actually not that easy to answer at first I found this vulnerability and then actually I had to look around for quite a while for whoever's responsible and in the end I had to report it to the transportation agencies of Osnabrück but in the back end there were also the locos of various other city transport systems and but I don't know if like they have the same thing thank you another obvious question do you know how long these behavioral patterns of movement profiles are stored? no I have no idea about that so that would probably be great if somebody from Osnabrück that used this app is listening they could ask for a copy of the data and we could find out what is the retention period, is it six months maybe ask again maybe declare this as a data donation that's very interesting interesting people that feel interested now please do and maybe turn it into a talk next time or contact you next question how about privacy protections within the use of the app are there ways of using it without creating a complete movement profile? well I know that there has been some research into the direction of how to build these checkout check out systems that provide inner security and of course from the side of the transport agencies they do want more data to prevent abuse and misuse to some degree but it is absolutely possible to give more privacy protection than this system does but I don't think that this system is oriented toward data protection but yes you said I was interested that even battery capacity remaining capacity was recorded or did I misunderstand that of course then the question is which individual which data that maybe linked to the person are transmitted as well just aside from the obvious movement data here do you know any other properties that could be related to an individual? well not directly no but the transport agencies they have only used pseudonyms we only know about pseudonyms of course at some point the tickets have to be paid for and at some point there of course there is a connection to the actual name of everyone so maybe it could be researched whether users are given a new idea at regular intervals yeah maybe next question is as far as you know is there a privacy impact assessment by the data protection authorities I know what the revision means a privacy impact assessment the the DSFA is a data protection consequence estimation I don't know that exists to me so when I found this vulnerability I didn't know if this was a production system or a development one so I did not just reported to the transport agency but also to the data protection authorities so they will probably have a look at it in the future and then of course the production system too of course I am a simple minded person I could imagine that the routines in the debug and info modes that the software has that maybe someone may not have care about switching all these off taking them out but well what I also wondered is one tab was titled suspect movements why yeah I also had to think of a Freudian mispronunciation there so if that maybe would be a general data retention but yeah I don't think I don't know you said that after leaving the bus or train it's ten minutes what does the app then actually can it be switched off you could be standing at the stop for another ten minutes and that would be of interest maybe but how can well you can certainly just kill the app on your device once you've jumped off the bus I don't know if that has any influence on the fair estimation I wouldn't have thought gaps in mobile coverage might become a privacy feature in Germany next question can a user access their own data or do you have to ask for it using the GDPR rules so can we ask the operators well I could not entirely find that out I have installed the app for myself but I wasn't able to buy any tickets so it but it didn't look like one could very easily get these wonderful maps from the back end actually in that case I don't think it suffices to say here's your data and that's it but also showing what this data is for and what it looks like and what it means and that is what these maps provide thank you maybe this question goes beyond Osnaburg by far how is what do you think about privacy protection with apps that are not from the EU a local traffic authority uses FairTech from Switzerland which is not in the EU I can't really speak to that I can only comment that this is not the first vulnerability I have found in a mobile ticketing app that would then be interesting which kind of software modules might be used by various makers software makers on a scale from free public transport to subscription trap what is your assessment how traumatic are mobile coverage gaps for the users maybe not a privacy question but just well that's difficult I don't know if I understood the question correctly I interpreted this if there are mobile coverage gaps which of course we know that may exist how reliable do you think these apps would then still be well I think that might be difficult in one or the other place I know there's a part of the Espan where they added a noise protection barrier and since then I have a worse reception there maybe if it's done really badly I automatically checked out there and had to check in again do you think that such an app would then try to interpolate or I guess where you are saying that you surely didn't exit the train on its journey and that could be quite error prone which estimations or AI predictions are made yeah maybe I don't really know what these GPS coordinates are even saved for to be honest especially in Osnabrück I know that all of these buses have the bluetooth beacons and with these beacons the system should know in which buses I'm in and the system should also know where the bus is so the system knows where I am riding along and when I get off so but then again without bluetooth beacons you could also do it with just GPS which might be not as nice but yeah that's basically all I can say speaking about data minimization no question next question how can this security how did the security gap come about when we gain access are data better protected than the production system well I was not able to retrieve any data from the production system and I assume that the reason was a configuration error that allowed me to access data and also from this data then find my way into the back end will the system also be used at the Hamburg transport system at least this AOS dot up trade is involved here as well well in the back end I was able to see that there is an HPV menu there and the company also said that starting 2022 they do intend to use such a system and we also had a question about the battery with the beacons what could that be used for well I don't really know how these beacons work maybe they're just bluetooth low energy beacons where once every one or two years you have to change the battery but there are also systems that are directly connected to the power supply of the bus where you of course don't need this one of many comments thank you for this let's group them inside that's we would feedback links to a heart of thanks I think we've covered the questions in the pad and answered them with your help and I would like to invite you to the breakout room now and before that just a few pointers the link to the breakout room where you could continue the discussion you can find that link by going to the chat tab actually