Data leak: Communication data of prison inmates freely accessible online
Sensitive information about prison inmates could be accessed online via an unsecured programming interface. The gateway was a telephone system.
A leak in a telephone system made highly sensitive prison inmate data freely accessible on the internet.
(Image: LR-PHOTO/Shutterstock.com)
The telephone data of more than 14,000 people currently in 20 prisons and forensic clinics was freely accessible online. The telephone service provider had not protected its programming interfaces. The data included highly sensitive information.
The telephone system was actually intended to provide more privacy and offer an alternative to the public telephones in prisons. However, the prepaid landline system now ensured that even the telephone number of the person called or calling and call recordings could be accessed online.
Company could not detect any misuse
According to the discoverer Lilith Wittmann, it was possible to read who called whom, when and for how long. The relationship between the callers, for example mother, friend, therapy or law firm, could also be viewed. Even recordings of conversations that may have been initiated by the police were public.
IT security activist Wittmann uncovered the free access to the data online. She reported the breach to both the supervisory authorities and the company Gerdes Communications, which operates the telephone system. "It was super easy to access the data," Wittmann told NDR. "The data was not protected with a password, it was basically not protected at all." According to a spokeswoman for Telio Management GmbH (Hamburg), which bought Gerdes Communications in 2023, only Wittmann had seen the data. She told several media outlets that no misuse had been detected. However, if the security gap had existed for a longer period of time, it would be difficult to trace earlier access due to the generally shorter storage period of log data.
Highly confidential conversations with lawyers and therapists
Reading out the data could have consequences not only for convicted prisoners and those around them. People on remand are still subject to the presumption of innocence. In case of doubt, becoming known could lead to people being stigmatized by their time in prison, even though they are innocent, explains Wittmann. What's more, conversations with therapists and lawyers in particular are considered confidential and enjoy a special level of protection.
In a self-experiment, Zeit Online was also able to access data before the loophole was closed. A specially created account in the video call system could be found, as well as the email address and a list of inmates contacted by the team. "This account was still working even after Gerdes Communications had already told the Hamburg justice authorities that it had shut down the servers. This was only actually the case after another inquiry," the newspaper writes. The provider first shut down parts of the system and only later the server in order to close the gap for the time being.
"Anyone with the URL could have read data"
Lilith Wittmann writes in a blog post that she gained access to the sensitive information via the Prison Control Center, a web application for managing user data. The API was not protected - anyone in possession of the URL was able to call up the administration page and access the data. "Quite conveniently via a user interface with interface documentation," writes the IT security activist. She found all existing accounts and the available phone credit at Gerdescom via three other gaps. In the video conferencing system, a large number of full names, prison numbers and assignments to the prison in which the person is being held were readable. "All you have to do is make a contact request and the programming interface delivers the data as a contact list." Although there is a log-in for the video conferencing system, "to access the programming interface on behalf of another user, only their email address is required."
According to Zeit Online, the NRW Prison Directorate has shut down telephony via the Gerdes Communications infrastructure for the time being. Several state data protection officers and prisons only found out about the security vulnerability after being contacted by the medium. According to the Federal Statistical Office, there were a total of 44,232 prisoners and those in preventive detention in prisons in Germany on the reporting date in March 2023.
(are)