[English]German security expert Lilith Wittmann discovered an unprotected API from Deutsche Telekom, that can be used, to retrieve details about landline connections via their internet access. She set up a website that can be used to retrieve data from Telekom's landline network connections. The IP address is sufficient, and the data obtained can be used to permanently track Telekom subscribers on the Internet. This could be a veritable data breach at Deutsche Telekom – and it could be GDPR-relevant. Here's a quick rundown of what's going on.
Advertising
Wittmann's site allows to reveal user data
Lilith Wittmann has discovered that it is possible to retrieve some connection data from Telekom landlines using the IP address. There seems to be no authorization for these queries, anyone can access this data, only an IP address is needed. At the end of the day, it is possible to find out a lot of information about the subscriber by requesting data from state and private sector actors (aka telecom API). Wittmann has put the website festnetz.cool online for this purpose, as she writes in the following tweet.
Well, it's in German, but it says "here is a new venture project live, it allows a permanent tracking of Telekom connections". Currently, only Telekom landlines for HOME and Small Business customers with internet access are supported. Therefore, when I call up the website in question, an error ist reported (see below), and no information is displayed (I use another internet provider).
If you want more details, take a look at https://api.festnetz[.]cool/docs#/ to see what curl commands are used to read the data.
Landline customer transparent?
If Wittman's site is called up with an Internet connection that belongs to Deutsche Telekom via a landline internet connection, a range of data can be retrieved via the assigned IP. Wittmann shows some data from such a connection below.
Advertising
Beside the IP address, which can also be determined via other websites, the website lists some details about the connection (tariff, upload and download speed, tariff number, etc.). The parameter Permanent ID, an identifier that is permanently assigned to the connection, catches the eye. This allows the owner of the connection to be tracked via the transmitted IP address using the permanent ID.
This may be a GDPR problem
If I have understood it correctly, the IP address of the Internet surfer is enough to retrieve details about his Telekom landline (including Internet access) via the API. And you can combine the information with other data sources so that you can identify the source in quite some detail (down to city blocks).
If the Permanent ID is evaluated, the user can be tracked on the Internet and, if necessary, identified via their other data. Wittmann writes: "If you continue to link the data I have access to with other data in a funny way, you can localize people at the block level." The case shows again the risk of APIs for data leaks.
Advertising
To clarify and precise part "This allows the owner of the connection to be tracked…":
Trackability of the connection owner is not necessarily limited to an owner itself. According to discussed parameters and API this was limited by the implemented proof of concept.
:-( major parts of German fuffing-around hacker humor is lost due to translation. YES – they are humorable!