Image loss Luca app: What does the security vulnerability found mean for the future of the Luca system?
by Svenja Koch
The Luca app has been available since March 2021. This app makes it possible to trace contacts in the event of infection with COVID-19 by registering whereabouts. The federal government favored a digital system, allowing a seamless transfer of information without time delay. Thus, the Luca app also has a link to public health departments. Now a group called LucaTrack has discovered and made public a serious security vulnerability in the app. What does this mean for users of the app, and to what extent is there a threat of data misuse by exploiting the security hole?
The goals of the Luca app
The Luca app works on the principle of overlapping data. The app is installed on a smartphone. The user logs in with his personal data and mobile phone number. Based on this, the Luca app creates a QR code. This serves as a unique and individual identifier. For people without a smartphone, there is a key fob. This already has a QR code, so there is no need for additional creation via the app.
The way the key fob works differs from the app. The owner of such a fob registers separately using a serial number found on the key fob. In the process, the owner stores his or her name and phone number. In this way, the pre-printed QR code is linked to a specific person.
When a person enters a location, such as a hair salon or a sporting event, with the keychain prepared in this way, a system on-site registers the person. The application stores the location as well as the time in a contact diary. With the Luca app, the storage takes place locally on the smartphone, and the system transmits the information from the key fob to a central server of the operator. Suppose a person using the Luca platform now tests positive for the coronavirus. In that case, a contact match is made via the database if the person concerned shares his or her contact diary with the health department. This makes it possible to compare when and where the infected person had contact with other people who also use the Luca app and are in the same place simultaneously.
By linking to the health offices, contact tracing is thus possible via the system. This allows the health department to find potentially infected persons and contact them directly. The subsequent steps consist of carrying out a coronation test or a request by the health department that the person concerned go into quarantine as a precaution. In this way, isolation is possible before the potentially infected person himself poses a risk of infection. In this way, the app supports health authorities to break the Covid-19 chain of infection.
The Luca app security vulnerability
The Luca platform security vulnerability relates to the QR code. The LucaTrack group had figured out that a photo of the QR code was enough to gain access to the stored contact diary data. Behind Team LucaTrack are Bianca Kastl and Tobias Ravenstein, among others, who have brought their IT security experience to bear in this area. According to Team LucaTrack, however, the gap only affects the key fobs, as this data is stored externally and centrally on a server. For the Luca app installed on a smartphone, on the other hand, this vulnerability does not exist because the data remains locally on the cell phone.
With the photo of the QR code, it was possible to gain access to the Luca software. Tobias Ravenstein from Team LucaTrack stated that minimal knowledge of programming was sufficient to leverage its IT security. This also gives access to the stored information in the contact diary. Thus, anyone who manages to photograph a person's QR code potentially has access to that person's movement information. The application stores all interactions with the app within the last 30 days, which is already critical in privacy. The data stored includes the location where the QR code was scanned and the time. Also stored is information about the type of event or the location that was visited. Since the QR code cannot be changed either, access remains. This allows attackers to track a person's movements even in real-time.
Consequences and other dangers - what experts say about the app's IT security
Potentially, about a hundred thousand users are affected by the Luca security vulnerability because this was the number of key fobs in circulation when the vulnerability became known. Scanning the QR code is an everyday process that is performed, for example, every time someone authenticates in a store. At that moment, the store owner has the opportunity to save that person's QR code. Through this, it is then possible - with a bit of criminal energy - to gain access to the contact diary of the person in question.
This easy access increases the risk of the security gap because even if the Luca key fob is handled carefully, the user's data protection is not guaranteed. The comparative ease of use opens the way for potential data misuse. This also applies to stalkers and other people who specifically select a person. It is enough to take a photo of the QR code to exploit the security gap in an unobserved moment. In such a case, personal identification is also possible, as the owner of the Luca key fob is known. The same applies to owners of facilities where visitors scan themselves. Often, the owners and organizers have access to the customer's personal information, such as the name or address. According to Team LucaTrack, access to personal information is not possible via the vulnerability itself.
This security flaw in the app is critical in other ways as well. As explained above, personal information is unprotected by the system-related gap in IT security, so 100% data protection is not guaranteed. Even investigating authorities are thus exposed to data that they would otherwise not be able to obtain quickly. Tobias Ravenstein also addressed this point in his analysis of the security gap. For example, there has already been a push by the CDU parliamentary group in the state of Baden-Württemberg to register participants in demonstrations via the Luca app. Combined with the system's known security vulnerability, police authorities can then determine the exact identity of participants of such events.
Personal data protection is threatened by such gaps on other levels as well. For example, a profile of Luca users is available to unauthorized persons, revealing personal interests and memberships. This profile is created by analyzing the places visited. These can also include, for example, attendance at certain religious events, political meetings, or even self-help groups. In this way, direct misuse of data is possible, leading to blackmail or similar criminal activities. According to the developer of the Luca app, the possibility of accessing the contact history via the Internet has now been disabled to prevent data misuse.
However, this does not stop various groups from continuing to warn against using the platform. The CCC (Chaos Computer Club), which has been known for decades for its activities in IT security, called for an immediate stop to the Luca platform. The CCC primarily addresses the glaring weaknesses of the system, which became apparent within a short time due to the security vulnerability of the key fobs. According to a spokesperson for the Chaos Computer Club, the developer lacks an understanding of the basics of IT security. Accordingly, such a platform is unsuitable for nationwide tracking of user and movement data.
Similar claims and concerns also come from the LucaTrack team, which uncovered the IT security gap. Like the CCC, LucaTrack primarily points to further vulnerabilities and potential dangers of the platform. In terms of data protection, experts from the IT security field criticize above all the central storage of user data. A group of researchers from Switzerland also criticizes this point. According to the experts, storing all user data on a central server poses a significant security risk. If criminals succeed in overcoming the IT security of this server, all stored user data is unprotected. This includes the places visited in the last 30 days as well as personal contact information. Given the number of people who now use the Luca platform and the high prevalence at events, this scenario represents a gross breach of data protection.
Geofencing - what is it all about?
The platform has also been criticized for another function, geofencing*. Here, too, the focus is on data protection, which the app partially subverts without the user's knowledge. The app can sign the user out of a specific event automatically. For contact tracking, the time a person has been at one particular location is of interest. Through geofencing, the app automatically signs out once the user leaves the area. However, this function requires ongoing position tracking. Privacy experts view this feature critically since, at least theoretically, location monitoring of the user is possible in real-time. This geofencing is automatically activated in the iOS version of Luca. On the other hand, Android does not offer this feature, so users have a higher level of data protection here.
*The term geofencing is all about the relationship between the position of a mobile device and a predetermined location. If this object leaves or enters the area previously defined by a receiver, an action is triggered. The position is determined, for example, by GPS, RFID systems, or mobile phone and WLAN networks. One can imagine such a "geofence" as an invisible digital border that registers and records devices in its area when crossed.
Conclusion on the security vulnerability in the Luca app
A platform such as Luca, designed for the comprehensive monitoring of contacts and movement information, must meet the highest security and data protection requirements. The security vulnerability that has been uncovered shows the dangers to which digital systems are exposed in everyday life. The central storage of personal information, in particular, quickly creates situations in which data misuse is possible. This is because today's hackers are creative and adept. Accordingly, they are quick to identify weaknesses in the IT security of systems and use them for their purposes. For this reason, platforms like Luca must not compromise on data protection and IT security.