Luca user in Berlin: The app relies on scans of QR codes
Photo: Christoph Soeder / dpa
The number of weak points in Luca's check-in system continues: IT security experts have discovered that the movement history in the Luca key fob was poorly protected and could be read by strangers if someone had the QR code on the Could scan trailers.
A photo of the trailer was sufficient for this.
In detail, it was possible to view the complete history of a person's Luca check-ins over the past 30 days, as well as the geo-coordinates and addresses of the corresponding locations as well as the exact time of the check-ins at all locations.
This emerges from the brief analysis of the group called Team LucaTrack.
According to her own statements, she informed the Luca developers and the responsible Berlin data protection officer of her findings on April 13th.
The key fobs are an alternative to the app within Luca's check-in system for people who do not have a smartphone or who do not want to use Luca on their device.
They are slightly smaller than a typical chip card and have a QR code printed on them.
To check in at a shop, restaurant or to an event, the QR code is scanned by the staff at the entrance.
In the case of the app, it is the other way round: users in turn scan the location's QR code with their smartphone.
Names, telephone numbers and other personal data could not be viewed due to the vulnerability, as the Luca makers themselves write in their statement on Thursday.
It says: “A report made us today that third parties who were unauthorized in possession of the QR code on the key fob could call up the respective contact history.
We deactivated this option immediately after the report was made and thank you for the message. «To avoid misuse, the developers recommend» using the personal key fob with QR code only for check-in at the establishments intended for this purpose and not a photo of the to publish their own individual key fob on the Internet «.
Luca is developed by the Berlin start-up neXenio and promoted by Smudo from the Fantastischen Vier, among others.
Mecklenburg-Western Pomerania, Berlin, Brandenburg, Lower Saxony, Hesse, Rhineland-Palatinate, Baden-Württemberg, Schleswig-Holstein, Bavaria, Saxony-Anhalt, Hamburg and Saarland rely on Luca and, according to research by "netzpolitik.org", give a total of almost 20 Million euros for this, including the cost of connecting the health authorities and the SMS service to validate the phone numbers of Luca users.
The Chaos Computer Club (CCC) is now calling for no more tax money to be spent on Luca.
Linus Neumann, one of the CCC spokesmen, referred to a "never-ending series of security problems".
He called the vulnerability discovered by Team LucaTrack "obvious and unnecessary"; it testifies to "a fundamental lack of understanding of the fundamental principles of IT security".
"Nevertheless, more and more countries are wasting tax money on the digital promise of salvation without a correct tendering process," the CCC statement continues.
The club called for »an immediate moratorium, a review of procurement practices by the Federal Audit Office and an immediate end to the compulsory app.
The country-subsidized roll-out of unchecked software is automatically prohibited for handling highly sensitive health and movement data. "