Leak: oBike exposes user data to social media

[German]Chinese firm oBike offers bikes to rent in major cities around the world. A data leak provided personal data of customers (name, email, location data) freely accessible via social networks.


It's always nice to see how topics come back again. On November 19, 2019, I've published a lengthy blog post Stopp: Leihfahrräder als Datenkrake within my German blog. This article covers background information about the bike sharing scene, occupied by Chinese vendors. After spreading their business model over all major Asian cities, they are expanding world wide.

(Source: Marco Verch / Flickr / CC BY 2.0 )

Munic, London, Frankfurt, Berlin, Vienna, Melbourne, oBikes are available to rent. But in Munic, Frankfurt or Berlin the bike are becoming to the a problem, because they block the paths in parks, pavements or other public places. 

Elsewhere, police have already confiscated thousands of these bikes and then scrapped them. The bikes also seem to mutate quickly into scrap because of a low quality.


I've warned about data collection

Within my German blog post linked above, I had warned that rental bike business models of chinese vendors. The rental bikes have no fixed stations for renting and return. They are equipped with GPS and the booking is usually done by an app, which also unlocks the bike. This app records everything the customer provides (name, e-mail address, payment data, GPS movement data and also the bikes usage time). I wrote: 

People who are using this bikes, will become transparent from a data view – what's common in China …

oBike representative hired a few weeks ago are saying that data protection is guaranteed. 'The GPS tracking profiles of the users are recorded and stored, but this is done anonymously. And there are no plans to pass on the data.'

The municipality of Munich was offered customer data by an oBike representative. But that can still be topped.

oBike exposed user data

A team of investigate journalists from Bayrischer Rundfunk has discovered a leak in the way, how oBike maintain user data. Until recently, personal and location data of users around the world were accessible online without any protection:

User names from Germany, mobile phone numbers from Switzerland, e-mail addresses from Great Britain, profile photos from Malaysia.

Journalists from BR Data and BR Recherche were able to view user data of the bike rental company oBike on the internet. The data were neither encrypted nor otherwise protected, and even exact movement data from rented bicycles were open for at least two weeks, according to BR information. Obike users all over the world were affected by this data leak.

The social media functions of the smartphone app were particularly problematic. The oBike app provides a feature to share invitation codes and finished rides on social networks. By doing this, users gave 3rd parties direct access to their personal data, without noticing it. Criminals could have used this safety gap to copy customer data – even from users who have not shared anything. After the BR had confronted the company with the data leak, the security hole were closed. oBike says in a written statement:

Obike does everything to quickly fix any safety gaps and protect user data.

Although this data data leak has been fixed, this incident could have consequences. The Bavarian State Office for Data Protection Supervision (Landesamt für Datenschutzaufsicht) confirmed that the data leak is a violation of the Data Protection Act. There are now investigations against oBike due to violating that Data Protection Act. More details may be read here.

Is China's industry's business models shaking?

The business models of many China companies may also become under pressure from Summer 2018, when the General Data Protection Regulation (GDPR) comes into force. Then hefty fines are due for violations. I estimate that the handling of user data in Chinese companies, including surveillance, will eventually break their necks. The Wallstreet Journal just has published this article, dealing with the way, how Chinese tech giant like Alibaba  act as willing helpers to the Chinese government and supervise their own people.

There are backdoor left within the firmware or apps, which has been uncovered several times in the past. That's nothing special for Chinese firms, and there is no data protection culture in China. When the get caught, the say "sorry, I didn't mean it." Realistically, no company is likely to use products from China any more, because they can't be sure, that these products didn't contain a backdoor for espionage. 

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , , , . Bookmark the permalink.

One Response to Leak: oBike exposes user data to social media

  1. Nuan says:

    You are totally wrong. Obike is a Singapore firm, not China!

Leave a Reply

Your email address will not be published. Required fields are marked *