Criminals can attack health authorities via the Luca app
The Luca app stays in the headlines. IT security researchers are now showing how malicious code can be hidden in the data that Luca forwards to the health authorities. That could potentially paralyze entire authorities.
In a publish on Wednesday Video IT security expert Marcus Mengs shows how encryption Trojans can be smuggled into health authorities. Sensitive personal data could be spied on and potentially entire health departments could be paralyzed.
The Luca app is intended to help health authorities with contact tracking. Infection chains with the corona virus should be stopped in this way. In a video, Mengs uses the publicly viewable source code of the Luca system to show the process that takes place after a health department learns that an infected user is in the bar. In the role of an employee of a fictitious health department, he uses Luca to access the data of fictitious bar visitors who, according to Timestamp, were on site at the same time as the infected person. In order to be able to see the complete data set, he has to download it and import it into Excel. Often this is done in the form of a CSV file. The data also includes the check-in of a fictitious attacker whose user data contains malicious code. Immediately after being imported into Excel, this malicious code encrypts the computer and accesses data. Such an attack is also called CSV injection. Programs like Excel can interpret any value in a CSV file that begins with a = as a function. An attacker can fatally easily enter such special characters in the Luca app as part of his name or address data.
Contents
The Luca team had known about the gap for weeks
The remarkable thing about it: The Luca team was apparently made aware of this gap three weeks ago. Mengs’ video now shows, however, that retrospective precautions regarding special characters in names in the code are apparently incomplete.
In order to actually attack the health authorities in this way, a number of conditions must be met. The problem exists for the CSV export and the Sormas export. In the Luca app, there is also the option of importing the data directly into Excel. If a health department employee decides on the CSV or Sormas export, he receives a warning in Excel. Only if the employee ignores this warning can attackers proceed with their attack. Warnings of this kind are given more frequently in common programs such as Excel, but also with legitimate use, and users are used to clicking them away, says Linus Neumann, spokesman for the Chaos Computer Club. to Eva Wolfangel for Zeit Online.
The artist collective Peng recently pointed outhow easy it is to create thousands of user profiles every day and check them in at any Luca location. The sheer mass increases the likelihood of such an attack being successful. In the end, one employee who makes this mistake is enough, says Mengs. The scenario is always realistic – an attacker can use it to execute any code and, for example, download patient data, delete data or reload ransomware, according to the CCC spokesman’s verdict. The security of Luca data processing should not depend on an Excel warning. The system must deliver secure data.
It is actually common for security experts to inform the manufacturer of an affected software before they go public with a vulnerability so that it can be closed. In the case of the Luca app, this was not necessary, so Mengs in the video. After all, the gap has long been known.
