Image loss Luca app: What does the security vulnerability found mean for the future of the Luca system?

Consequences and other dangers - what experts say about the app's IT security

Potentially, about a hundred thousand users are affected by the Luca security vulnerability because this was the number of key fobs in circulation when the vulnerability became known. Scanning the QR code is an everyday process that is performed, for example, every time someone authenticates in a store. At that moment, the store owner has the opportunity to save that person's QR code. Through this, it is then possible - with a bit of criminal energy - to gain access to the contact diary of the person in question.

This easy access increases the risk of the security gap because even if the Luca key fob is handled carefully, the user's data protection is not guaranteed. The comparative ease of use opens the way for potential data misuse. This also applies to stalkers and other people who specifically select a person. It is enough to take a photo of the QR code to exploit the security gap in an unobserved moment. In such a case, personal identification is also possible, as the owner of the Luca key fob is known. The same applies to owners of facilities where visitors scan themselves. Often, the owners and organizers have access to the customer's personal information, such as the name or address. According to Team LucaTrack, access to personal information is not possible via the vulnerability itself.

This security flaw in the app is critical in other ways as well. As explained above, personal information is unprotected by the system-related gap in IT security, so 100% data protection is not guaranteed. Even investigating authorities are thus exposed to data that they would otherwise not be able to obtain quickly. Tobias Ravenstein also addressed this point in his analysis of the security gap. For example, there has already been a push by the CDU parliamentary group in the state of Baden-Württemberg to register participants in demonstrations via the Luca app. Combined with the system's known security vulnerability, police authorities can then determine the exact identity of participants of such events.

Personal data protection is threatened by such gaps on other levels as well. For example, a profile of Luca users is available to unauthorized persons, revealing personal interests and memberships. This profile is created by analyzing the places visited. These can also include, for example, attendance at certain religious events, political meetings, or even self-help groups. In this way, direct misuse of data is possible, leading to blackmail or similar criminal activities. According to the developer of the Luca app, the possibility of accessing the contact history via the Internet has now been disabled to prevent data misuse.

However, this does not stop various groups from continuing to warn against using the platform. The CCC (Chaos Computer Club), which has been known for decades for its activities in IT security, called for an immediate stop to the Luca platform. The CCC primarily addresses the glaring weaknesses of the system, which became apparent within a short time due to the security vulnerability of the key fobs. According to a spokesperson for the Chaos Computer Club, the developer lacks an understanding of the basics of IT security. Accordingly, such a platform is unsuitable for nationwide tracking of user and movement data.

Similar claims and concerns also come from the LucaTrack team, which uncovered the IT security gap. Like the CCC, LucaTrack primarily points to further vulnerabilities and potential dangers of the platform. In terms of data protection, experts from the IT security field criticize above all the central storage of user data. A group of researchers from Switzerland also criticizes this point. According to the experts, storing all user data on a central server poses a significant security risk. If criminals succeed in overcoming the IT security of this server, all stored user data is unprotected. This includes the places visited in the last 30 days as well as personal contact information. Given the number of people who now use the Luca platform and the high prevalence at events, this scenario represents a gross breach of data protection.

Geofencing - what is it all about?

The platform has also been criticized for another function, geofencing*. Here, too, the focus is on data protection, which the app partially subverts without the user's knowledge. The app can sign the user out of a specific event automatically. For contact tracking, the time a person has been at one particular location is of interest. Through geofencing, the app automatically signs out once the user leaves the area. However, this function requires ongoing position tracking. Privacy experts view this feature critically since, at least theoretically, location monitoring of the user is possible in real-time. This geofencing is automatically activated in the iOS version of Luca. On the other hand, Android does not offer this feature, so users have a higher level of data protection here.

*The term geofencing is all about the relationship between the position of a mobile device and a predetermined location. If this object leaves or enters the area previously defined by a receiver, an action is triggered. The position is determined, for example, by GPS, RFID systems, or mobile phone and WLAN networks. One can imagine such a "geofence" as an invisible digital border that registers and records devices in its area when crossed.

Do you have questions about the protection of your data or other IT security topics?

Contact our experts - we will be happy to advise you!