In the meantime, the luca app for contact tracking in the corona pandemic for some model regions is considered mandatory – but unfortunately the implementation is full with IT concept errors: you can easily check in with a fake app, which can not be tracked be useful. Looks like a luca app, but is a "chopped" anonymous or offline version, which is at best only data delicate.
The following application trap should be supported by the app:
- Registration with the luca server: the user enters his phone number, name and address. This is sent to the luca server; secured with SMS-TAN.
- Location: check in itself: the user scans a QR code at the entrance. In the system of the location, the visitor payer is incremented and appears in the app "checked in".
- Location: check in: the location has a scanner – goes with the webcam over a web page – and scans the QR code that the luca app displays. In the system of location the payer is also incremented and appears in the app "checked in".
- Create private meeting: the meeting is registered on the luca servers. A barcode will appear to scan the visitor.
- Check-in in the private meeting: one scans the barcode of the meeting. The app appears in the app; on the mobile phone of the meeting, the payer goes up to the guest number and the name of the visitor appears.
The security researcher kurt huwig has worked on two reasons with the luca app. On the one hand, he can not use them because the manufacturer has approved the installation only for people resident in germany – the borderland abroad is excluded. This is the second app bought by the saarland and is not available in the grubregion saar-lor-lux, next to the mobile parking app.
This is surprising insofar as the border trials from the state government was emphasized that a closed national border does not correspond to the lifestyle in saarland. Nevertheless, funds are output for apps that can not use a coarse part of the burger in the grople region.
The second reason was that in the internet small scripts circulate, with which one with which the inlet control of so-called "luca locations" can not exercise without ever registering. This wanted to check the security expert in the source code. Here he found out quickly where and how communication with the luca servers takes place.
|Wedding features of the fake luca app|
|registration||no communication||no data is transmitted|
|location: check in||it always appears the same location, as no communication||random data are transmitted|
|location: check in||the app does not show that you were checked in, because no communication||random data are in the barcode|
|create private meeting||but no one can check in, because there is not the meeting on the servers||creation is done by random data|
|check in in the private meeting||but the visitor payer is not high, as no communication||registration with correct name, but random data|
Frightingly, mr. Huwig had to realize that the developers have no security mechanisms that recognize whether someone presents a true luca barcode or a freely invented. This is about that as if everyone has been able to create their own license plates and thus ride through a speed camera, without ever being to be reached.
Two modes for the fake app
Therefore, he has modified the app that this luca fake application is operable in two new modes: with "anonymous" if the app does not register with the LUCA servers, but creates a random identifier when starting themselves and changing it.
With this identifier, the user can log in to every luca location and even create private meetings. The manipulation is not recognizable for outdoors, because the app behaves like the right one: the visitor payer of a luca location is high as soon as the user scans the barcode of the location and even when the operator scans the barcode of the app itself.
The manipulation can only be determined if the health department tries to access the data and then only gain digital mulling – more precisely "user unknown".
Fake luca app
for users is not recognizable whether it is a manipulated app or not.
In the second mode, the app works completely offline, so never contact the luca server. This would be determined for the operator of a luca location if it checks for the scan of the user as to whether the visitor’s benefit is incremented – which is hardly the case in practice, if only a barcode at the entrance sticks.
If he scans the manipulated barcode of the app itself, even his visitors’ beneficiary is sufficient – just the app does not report that she is checked in: she does not get this action with, but that can always be pushed on an unstable data connection of the mobile phone.
It is amazingly easy to completely leverage the luca system, so that it is not possible for the operators of luca locations to determine this manipulation. The system is even less secure than paper leak, because he can prefer operator if everything was made correctly. Technical details of the weak points are also found on github.