Will fake news ever stop

Corona tracking: Luca monitoring can be undermined with fake data garbage

In the meantime, the Luca app for contact tracking in the corona pandemic has been shown as mandatory for some model regions - but unfortunately the implementation is full of IT concept errors: You can easily check in with a fake app, which is not available for tracking is used. Looks like a Luca app, but it is a "hacked" anonym or offline version, which in the best case only transmits garbage data.

The app should support the following use cases:

  • Registration with the Luca server: The user enters his phone number, name and address. This is sent to the Luca server; secured with SMS-TAN.
  • Location: Check in yourself: The user scans a QR code at the entrance. The visitor counter is incremented in the location system and "checked in" appears in the app.
  • Location: Check in: The location has a scanner - it goes over a website with the webcam - and uses it to scan the QR code displayed by the Luca app. The counter is also incremented in the location system and "checked in" appears in the app.
  • Create private meeting: The meeting is registered on the Luca servers. A barcode appears that visitors can scan.
  • Check-in in a private meeting: You scan the barcode of the meeting. Checked in appears in the app; On the meeting's mobile phone, the counter goes up by the number of guests and the visitor's name appears.

The analysis

Security researcher Kurt Huwig looked into the Luca app for two reasons. On the one hand, he cannot use it because the manufacturer has only approved the installation for people residing in Germany - foreign countries close to the border are excluded. In addition to the mobile phone parking app, this is already the second app that is bought by Saarland and cannot be used in the greater Saar-Lor-Lux region.

This is surprising insofar as it was expressly emphasized by the state government during the border closings that a closed state border does not correspond to the reality of life in the Saarland. Nevertheless, money is being spent on apps that a large number of citizens in the Greater Region cannot use at all.

The second reason was that there were small scripts circulating on the Internet with which one can trick the admission control of so-called "Luca Locations" without ever having registered. The security expert wanted to check this in the source code. Here he quickly found out where and how communication with the Luca servers takes place.

Modified functions of the Fake Luca app
Use case Offline Anonymized
Registration no communication no data is transmitted
Location: check in yourself the same location always appears because there is no communication Random data are transmitted
Location: check in the app does not indicate that you have been checked in as there is no communication Random data are in the barcode
Create a private meeting but nobody can check in because the meeting does not exist on the servers Creation is done with random data
Check in to the private meeting but the visitor counter does not go up because there is no communication Registration with correct name, but random data

Terrifyingly, Mr. Huwig had to discover that the developers did not have any security mechanisms in place that would recognize whether someone was presenting a real Luca barcode or a fictitious one. It's like everyone can create their own license plates and drive through speed cameras at will without ever being prosecuted.

Two modes for the fake app

He has therefore modified the app so that this Luca fake application can be operated in two new modes: With "Anonymous", the app does not register with the Luca servers, but creates a random identifier itself when it starts and changes it constantly .

With this ID, the user can log in to any Luca location and even create private meetings. The manipulation is not visible to outsiders because the app behaves like the right one: the visitor counter of a Luca location goes up as soon as the user scans the barcode of the location and also when the operator scans the barcode of the app himself.

The manipulation can only be determined when the health department tries to access the data and then only receives digital garbage - more precisely "user unknown".

In the second mode, the app works completely offline, so it never contacts the Luca server. This would be noticeable for the operator of a Luca location if, after scanning the user, he checks whether the visitor counter is being incremented - which is hardly the case in practice if only a barcode is stuck to the entrance.