Interesting facts about the new security gap in the Luca app

It should abolish the paperwork when registering in pubs – but makes headlines above all because of security gaps. The latest loophole does not mean any danger, at least for users.

It should be that easy: Check-in via QR code in the Luca app.

Dhe app “Luca” is considered central for many operators of restaurants, hotels or organizers of concerts in order to enable a new start after Corona. Anyone who goes to a place where a lot of people come together scans a QR code there with the app on their mobile phone and can save themselves the annoying task of filling out notes to track contacts – that’s the simple idea. But recently Luca has been making headlines mainly due to security deficiencies.

The last trick for the time being was delivered by security expert Marcus Mengs in the middle of the week. He showed that the app can be exploited by hackers to attack the health authorities connected to the system. 313 of around 400 health authorities in Germany use the app to quickly access the contact details of the people who were there at the time in the event of a corona outbreak, for example in a restaurant.

Excel export as a weak point

The export of the contact data takes place using Microsoft Excel tables – and this is exactly where the weak point lies. As Mengs showed in a video, hackers can execute arbitrary commands on the computers of the health department through a known security hole in Excel. The process is called “Code Injection”, and the attack uses special characters that are inserted into the name of a person registered in the Luca app. Attackers can steal data or download blackmail software onto the computer, which paralyzes the computer. Such “ransomware” attacks caused serious damage in the wake of the Emotet malware until the beginning of this year.

Potential victims of the loophole are therefore the health authorities, not the users of the app. For the latter, there is no danger of being attacked. You can only become an indirect victim if hackers manage to steal the data entered into the Luca app – usually name, telephone number and email address.

Danger only if you ignore warning messages

Health authorities are also only susceptible if their IT systems allow so-called macros – mini programs integrated into office applications. In addition, several warning messages appear on an employee’s screen, which he must actively acknowledge before a hacker can be successful with the attack. This leads back to the question of whether employees in German authorities take such warning messages seriously or just click away and ignore them. Unfortunately, experience with Emotet shows that the latter is more likely to be the case – because the malware hit city administrations more than average.

Markus Bublitz, spokesman for the company Nexenio, which sells the Luca app, pointed out to the FAZ that macros at the system level are deactivated in most of the health authorities introduced in the Luca system. This means that the clerks do not even get to the warning messages, which they then may ignore. Nevertheless, measures were taken immediately after the gap became known on Wednesday to close it. Since then, the app has only allowed Latin letters in the names of registered people.

No known abuse so far

It was not known that the vulnerability was exploited at a health department, said Bublitz. The state capital Stuttgart, as the responsible body for the local health department, confirmed at the request of the FAZ that the security gap on the Luca server had been closed and could no longer be exploited afterwards. The department of the city administration checked that. It was also said that the potential damage from the gap was great, but the likelihood of a successful attack was comparatively low. Because: “The type of attack is neither new nor specific to Luca,” announced the state capital.

As a result, the Luca app should be safe to use again by both users and health authorities. Bublitz, the manufacturer’s spokesman, still says: “We don’t want to downplay that. The trust of the people in Germany is important to us and we try to do everything for it. “

Editor’s note: In an earlier version of this text, the name of the person who discovered the vulnerability was unfortunately misspelled: His name is Marcus Mengs. Please excuse the mistake.