In the last couple of days I attended a clinical cancer conference. I learned a lot about the clinical practice for this terrible disease and also about careless data protection habits. As we learned from our tweeting hero, the connection data are the low hanging fruits. And this is not different in conference business.
When entering the meeting-room of every scientific session of the conference, all participant’s conference badges were scanned (there was a convenient barcode on every id). Officially this measure was taken to print a list of attended lectures on everybody’s certificate of participation. (Who needs such a document?)
There was no conference booklet with a list of talks but an unstable android (and iOS) app available. Fortunately I selected most of my sessions beforehand by using a web-browser in my office. I assume this sounds paranoid, when I mention the easier tracking of my scientific interests, when I use an electronic device.
However, the interesting part was a little USB stick with presumably all abstracts (short summaries) of the conference presentations including scientific posters. It became a habit that sponsors are mentioned for a specific conference service like WiFi or public transport. In this case every attendant got a little voucher for a USB stick to pick up at the booth of a pharma company. It’s a nice little, blue device with an USB plug, which looks like a memory stick.
I tried this USB stick with my private Linux laptop. Apparently nothing happened. No pop-up window appeared, informing me about a new storage device. When I looked into the list of USB devices, I made an interesting discovery: The new device identified itself as an Apple, Inc. Pro Keyboard [Mitsumi, A1048/US layout] (ID 05ac:020b).
An old article on heise security about keyboard emulation to crack a computer came to my mind. Even though I spend a couple of hours (using Wireshark on my USB hub), I could not find out all about my new blue friend. I just realized that the stick, dependent on the operating system of the computer, types some commands. One of these commands starts a web browser and connects to this link. (It works at least, if you are using an English keyboard layout). I could not find any data on this device but a lot of warnings (e.g. 1, 2) on the internet.
I feel a little uncomfortable when I let somebody type on my computer and open all opportunities to do nasty or intruding things. I assume this USB device is harmless and just connects me to the conference poster download page. Instead of the expected memory stick I got a hidden keyboard, I am supposed to plug into my computer. And I doubt, that this terrible data security image fits to the pharma company, which provided the device.
The conference posters are hosted on a web-site called poster-submission.com. The domain name is registered by Johann Woringer, the CEO of Wiz-Team and Co-Founder of Além Labs, a company that provides “Accommodation, transportation, accreditations and ticketing data management systems for the International Olympic Committee” for the last six Olympic games (from Athens 2004 until Sotchi 2014).
The rest are just speculations: Connection data from health-care and pharmaceutical companies e.g. who is interested in which drug or drug target is a valuable data set, helping to discover the hot topics in cancer research and research pipelines of participating (billion-Euro/Francs/Dollar) companies a bit earlier. Mr. Woringer is probably well connected to politics and industry.