Vulnerability in contact tracing app Luca could have allowed attackers to “paralyze” health departments
The discovery of yet another vulnerability in Germany's centralised check-in and contact tracing app 'Luca' renewed strong criticism to it in the country.
The latest bug that has been found in the app developed by the Berlin-based software startup Nexenio was illustrated by IT expert Marcus Mengs in a YouTube video. It would have theoretically allowed an attacker to paralyze a health department connected to the app through "code injection", i.e. the injection of malicious code among the data that the software delivers to health departments via Excel files. Thousands of citizens could have been spied on as a result.
The Federal Office for Information Security (BSI) confirmed the plausibility of the attack scenario, even though it found no evidence that the vulnerability has ever been actually exploited.
Dies ist ein Thread zu den zahlreichen Anfragen rund um die #LucaApp.
Wir schätzen das Angriffs-Szenario einer Code-Injection über das Luca-System abhängig von der konkreten Einsatzumgebung als plausibel ein. (1/5)— BSI (@BSI_Bund) May 28, 2021
The bug, confirmed by app developers as well, has since then been fixed.
Die Zeit wrote that the company was asked about the possibility of such an attack weeks before, when health authorities expressed explicit concern around "code injection" for the Luca app; its CEO, Patrick Hennig, however, claimed that it was not possible.
The app has been plagued by cybersecurity, data protection and even copyright infringement issues since its initial deployment in March 2021, leading to a strong joint statement against its use by hundreds of IT experts. Luca, they wrote in April, has a problematic centralised architecture, it is opaque and proprietary (it "creates a dependency on a single private company with the intention of making a profit as the operator of the system"), and its use is nonetheless "de facto compulsory," thus violating many of the privacy and rights-preserving principles established during the development of Germany's exposure notification app, 'Corona Warn'.
The Chaos Computer Club also issued a scathing critique of the Luca app, calling for an "immediate end" to its deployment and a "full investigation" into the app, due to "irregularities in the awarding of contracts," "dubious benefits" (the technology is allegedly "too imprecise to identify relevant contacts"), and a series of flaws and vulnerabilities. For example, users could check-in to places they had never been — including the Osnabrück zoo. Also, why were existing decentralised alternatives not even considered?
Even though mired in controversy, the app bas been adopted by "at least 282 of the 375 German health authorities", according to a survey by WELT among the 16 state health ministries. A total of almost 22 million euros have been spent by federal states in licenses to grant use of the app developed by Nexenio for one year, wrote Netzpolitik.
According to WELT, the Luca app has been downloaded more than 7.4 million times - but that doesn't mean that the app is used by 7.4 million people." More specifically, developers don't share data around the app's actual contribution to contact tracing.
Some institutions are however critical in this regard too. Munich's health officer Beatrix Zurek, for example, voiced doubts concerning the actual usefulness of the "excessive" amount of data received by the municipality, and Regensburg, the fourth largest city in Bavaria, rejected the app altogether. In Turingia, the Data Protection Authority intervened to ask local districts to refrain from buying and deploying it.
Nuremberg has been the first city in Bavaria to introduce the Luca app, at the end of March, but its "health department has not yet issued any quarantines that would only go back to the use of the app", wrote Nordbayern. In Mecklenburg-Western Pomerania the app "has so far been of little use to the health authorities", argued Schweriner Volkszeitung. A CCC investigation claimed that by the of April just 3 out of the 137 offices surveyed throughout the country were actually using Luca in their daily operations, so much in fact that the municipality of Bielefeld could top the usage rankings with a mere 17 Luca requests.
Several fake Luca apps have also sprung on Google Play Store. According to Chip, "with the QR codes generated in the fake apps, it is apparently even possible to check in with some operators who then assume that the real Luca app is being used."
Developers however claimed that "in the future, it will also be possible to prove those who have recovered and who have been vaccinated" through the app.
The Luca app has been developed in response to COVID-19 regulation in the country requiring federal states to oblige restaurants, shops, cinemas and other venues to collect the contact details of their guests for contact tracing purposes.