Luca app: Corona contact tracking can be tricked this easily

display

The Osnabrück Zoo is open in summer from 9 a.m. to 6.30 p.m.

Therefore, it seemed more than surprising that, according to the Corona warning app Luca, a good hundred users were logged into the zoo on Wednesday night at around 4 a.m.

The alleged nocturnal zoo-goers didn’t really visit the “elephant Yaro” or the Sumatran tiger in the animal world “Angkor Wat” when they were asleep, but instead were able to log into the zoo from anywhere in Germany thanks to a fundamental conceptual error in the Luca app: The app does not have any plausibility check for the logins.

In a first statement, Luca emphasized that misuse of the QR login codes is unlikely: "No health department in the world will contact 100 people who have been to a zoo at night." A plausibility check, as suggested by the critics, would contradict the concept of data economy, so the Luca makers.

display

But the QR codes are not the only current security weakness of the app.

The makers behind the project are currently refusing to publish the entire code of the app for a transparent security check, the announced analog "key rings" de facto allow a login without checking the identity.

In addition, by analyzing login links, savvy hackers can easily check from the outside how many visitors are currently logged into a shop, a doctor's office or an event.

The reverse is also possible: if you know the login data of a user - for example by copying the app's QR code - you can easily log in anywhere.

Plausibility checks are also missing here.

In short: The app currently has a lot of conceptual weaknesses.

That would not be a problem, because of course there are various, sometimes much more sophisticated alternatives to the Luca app.

display

However, twelve federal states have ennobled the app to a quasi-standard through license purchases worth over 10.5 million euros, and municipalities oblige shopkeepers and restaurant operators to use it in some cases.

This means that the app has to measure up to a higher standard than the various competitors.

The basic problem of the app lies in its concept, which is why it cannot be easily ironed out: Anyone who has access to the QR code that shops or organizers post can log in.

Comedian Jan Böhmermann pointed this out via Twitter on Tuesday evening.

One of the first whistleblowers was computer scientist Sebastian Fuhrmann at the end of March.

display

In recent weeks, various organizers and shops have happily published photos and videos of posters with the personal QR code for logging in on social media such as Facebook and Twitter.

As a result, anyone who has such a picture can hold the camera of their smartphone on it to log in.

Source: Screenshots WORLD

WELT itself was able to log in to the Ostseestadion Rostock as an "employee or service provider", to the Rostock "Modehaus Nikolaus", to the "Boutique Am Tor" in Neubrandenburg and to the Modehaus Brörmann in Bohmte, Lower Saxony, within a period of 10 minutes, without that the editor only had to leave his desk in Cologne once.

Apparently there is no plausibility check, because even with a helicopter the jumps between the locations would have been impossible in terms of time.

Even more: Böhmermann had also published the login at Brörmann, so 2635 people were digitally present there at the time of the experiment.

The fashion house has probably never experienced so much popularity in real life.

“Health authorities are flooded with even more, possibly incorrect information.

That is exactly the opposite of what the Luca app promises, namely to relieve the health authorities, ”says Fuhrmann, commenting on the problem.

This would be particularly fatal if someone who tested positive used the app for abuse - and for example ensures that visitors to an unpleasant shop are called by the health department in a row.

The number also shows the next problem with the app: The interface to the server is designed in such a way that it can be read from the outside how many Luca users are present in a location at the same time.

Not a problem in a store - but what if it is a psychiatric practice or a political event?

Then this information is already too much public.

Logging into the app still makes little sense for places like Osnabrück Zoo, as it has an area of ​​over 50 hectares - if a visitor there is tested Corona-positive afterwards, the information is about who else was on the site , useless for health authorities, notes the member of the Bundestag Anke Domscheit-Berg.

display

“The implementation is simply awful,” commented critic Fuhrmann in an interview with WELT.

"The health authorities now also have to check the plausibility of the Luca data; they actually have something else to do right now."

The programmer has taken a closer look at the app's code and notes that the quality of the programming work is that of a “student project” - in view of this, license fees in the millions are astonishing.

The Rostock computer scientist Roger Schmidt criticizes the app in a similarly harsh manner.

He experimented with the key fobs with printed QR codes that Luca recently sold and discovered real weak points in the process.

The key fobs are intended for people who cannot or do not want to carry a smartphone with them to log in - they should simply hold the QR code in a camera in the store or restaurant.

But as Schmidt found out, this also works if the followers are not yet registered for a person.

If you want, you can circumvent the entire login concept.

The registration data is not checked.

That's why Schmidt managed to enter the telephone number 123456789.

"In principle, such apps make perfect sense, but then please do them correctly," he comments to WELT.

Last but not least, the creators of the app continue to refuse to make the entire code of the app public.

Not even the program code of the current Android version is available so far, the code of the iOS app has not yet been published, the code of the server-side application is also completely missing.

The makers had actually announced that they wanted to publish everything at the end of March.

The reasons for the delay were not yet known.

Thus, the Berlin culture4life GmbH, which is behind Luca, continues to violate the license conditions of the open source code they use, and does not comply with the request of the data protection conference of the federal and state governments for an independent public inspection of their work for security gaps.

In an interview with WELT, Patrick Hennig, CEO of culture4life parent company neXenio, comments on the criticism from Böhmermann and Co .: “I can always abuse a system, but you have to ask yourself whether it is better to use the technology together in the pandemic for the benefit of everyone. ”For the problem of key fobs without registration, they still want to introduce a filter as soon as possible.

Hennig also responded to the accusation of delaying the source code publication: The iOS source code will be published Wednesday, the source code of the server towards the end of the week.

"That simply ties up a lot of manpower that we cannot necessarily use for this at the moment."