For the third time, everything wrong:

 

How trivial critical vulnerabilities can lead to a complete leak of sensitive COVID-19 data on all citizens of the country

 

Pavol Lupták, Nethemba

Who Am I

  • IT security guy, founder of IT security hacking companies (Nethemba, Hacktrophy) & contemporary art (Satori)
  • In the past I participated in revealing a lot of vulnerabilities in public services or massively used products
    • SMS tickets used in most European cities
    • Mifare Classic cards (the first opensource cracker)
    • SMS parking tickets used in Slovakia
    • CHDÚ - eKasa - the system used by all Slovak entrepreneurs to register cash operations
  • Always followed "responsible vulnerability disclosure" - notify the vendor, wait for the fix/patch and then release the information about the vulnerability

 NHIC - National Health Information Center

  • In Slovakia, COVID-19 data management is highly centralized - all COVID-19 related information is gathered and centrally stored in one place
  • NHIC is responsible for gathering, analyzing, and storage of all COVID-19 tests and COVID-19 vaccinations in Slovakia of all citizens
  • NHIC is a single-point-of-failure - if their apps/servers are compromised, all COVID-19 data about all citizens will leak / can be misused...

 The first fail:

COVID-19 infected people are dangerous; let's publish the map - where they live!

  • 30.3.2020 the map of COVID-19 positive people leaked from NHIC - the age, gender, and street of each person(!)
  • What was the goal?
    • To reveal the locations with the most infections?
  • NHIC argued this information cannot be misused

 The first fail:

Deanonymization attack

There are probably not many people with the given age and gender living on one street in one city

 

Let's deanonymize them!

 The first fail:

Deanonymization attack

  • Public Slovak Cadaster contains all information about property's owners including their name and birthdate
  • Let's download the information about all owners who have their properties on the given street (on the COVID-19 map)
  • Filter all people with the given age
  • Filter all people with the given gender
  • Voila - we have likely the name of COVID-19 positive person (or just a few of them)
  • It works for owners of properties only (not renters)

 The first fail:

Deanonymization attack

  • Despite the possibility, it seems that this attack has never been publicly executed
  • NHIC stopped propagating pseudo-anonymous data about COVID-19 patients that can be deanonymized
  • Slovak politicians spreaded rumours this attack was not feasible (of course it was)

 The second fail:

Let's enumerate and download all COVID-19 tests

Obtaining a database of all 390 000 people in Slovakia tested for COVID-19 (yes, no kidding):

 

#!/bin/bash
for (( i=8966; i < 391000; i++ )); do
wget https://mojeezdravie.nczisk.sk/api/cntnt.dnld.php/$i
done

 The second fail:

The database includes:

  • name and surname of each tested person
  • birth number and date of birth
  • sex
  • mobile number
  • place of residence
  • information on clinical symptoms (pneumonia, fever, cough, malaise, rhinitis, headache, joint and muscle pain)
  • code of samples and the date of exact collection
  • the name laboratory that performed the test
  • the applicant’s medical doctor and the protocol number
  • the date of receipt and examination
  • the types of test and the COVID-19 result.

 The second fail:

  • The misuse of this vulnerability leading to the leakage of more than a quarter of a million personal data and the results of COVID-19 tests to Slovak citizens was possible due to the following factors:
    • A leak of API format to public search engines (which indexed it)
    • Possibility of unauthorized access to API calls, which allowed access to sensitive information without any authentication
    • Ability to get information about all patients by simply enumerating a numeric identifier
    • The absence of any mechanisms that would prevent the massive download of this data
    • All data was in the unencrypted (in “plaintext”)

 The second fail:

DATA INFORMATION AND POTENTIAL MISUSE

  • We downloaded a large enough sample of random data and analyzed that these were truly unique records
  • Based on numeric identifiers, we detected at least 391250 valid records
  • Leaked information such as name, surname, birth number, date of birth, gender, mobile number, place of residence or email can be misused for sophisticated targeted attacks by social engineering (phishing, vishing and others).
  • By using other available information as a test result, information about the health insurance company or the name of the laboratory that performed the tests, it is possible to carry out sophisticated targeted “scam” attacks.

 The second fail:

CONCLUSION

 

  • Why should such sensitive information about all COVID-19 patients tested to be placed on the public Internet at all?
  • Why wasn’t it anonymized or encrypted in any way?
  • Why wasn’t it protected in any way by authentication?
  • Why wasn’t the information about several months old patient records destroyed?
  • If the state cannot protect the personal information of all people tested on COVID-19, why do we think it can protect the sensitive location data it can obtain from mobile operators?

 The second fail:

RESPONSIBLE DISCLOSURE OF THE VULNERABILITY

  • Because this was sensitive data for a large part of the Slovak population, we reported this vulnerability through the official CSIRT channel 13th of September 2020 at 23:30.
  • The vulnerability was fixed on the 16th of September around 16:30-16:50.
  • After fixing this vulnerability did we decide to publish this vulnerability report.

 The third fail:

How to get an EU vaccination certification for any citizen of Slovakia based on their name and date of birth

 The third fail: eHranica

Track & trace app that completely failed

  • eHranica is a mandatory app that has to be used by all people traveling to Slovakia
  • You must fill in the date of your visit of Slovakia, the country you are returning from, your personal data (first name, surname, birth number, or ID number assigned by another country, your email address, and mobile number). You then tick whether or not you are vaccinated and therefore agree to the quarantine (or if you are vaccinated, you do not go)

 The third fail: eHranica

eHranica app allowed anyone to changed the contact details of any registered citizen - that was initially set up during the vaccination, just need to know the birth number

 The third fail: eHranica

  • You could fill eHranica for anyone whose birth number you know
  • In the form you used the new contact details and this information was automatically updated for the given person
  • This means that you could trivially gain full control over all the communication channels of any person whose birth number you know, and then used them to obtain or modify your sensitive information
  • And this mean you could send the EU COVID-19 certificate for the given person or did any other operations on behalf of the “victim” - register for vaccinations, make changes to vaccination registration, edit personal information, or create GreenPass app access credentials.

 The third fail:

Reveal the birth number

  • Slovak/Czech birth number can be expressed in the form YYMMDDXXXX and must always be divisible by 11 where YYMMDD is a birthdate of the given person
  • We used a set of trivial scripts to generate all male and female birth numbers (there are 30 million in total)
  • To verify which of the above birth numbers are actually valid, we used the publicly available service “Verification of the insured person’s insurance relationship” https://www.portaludzs.sk/web/eportal/
    • The CAPTCHA verification was broken at this portal
    • Thanks to "optional" "Name" and "Surname" fields we can always find the birth number for the given person

 The third fail:

Proof

We identified the birth numbers of several prominent Slovak politicians within minutes and downloaded their EU COVID-19 Certificates or results of their COVID-19 antibodies tests

 

Of course, it was also possible to identify the birth number of any citizen of the Slovak Republic and download his COVID-19 certificate or a result of his COVID-19 antibodies test.

 The third fail:

Possibility of a widespread leak and misuse of EU vaccination certificates

 

1. Using the Land Registry, where each title deed contains the name, surname, and date of birth of the owner (and the birth number is also recorded)

2. Using the “leaked” land registry

3. Using the State Population Register (REGOB)

 The third fail:

 IMPERSONATION ATTACKS:

Exploiting your namesake's valid EU vaccination certificate

  • The 100% digitally valid EU vaccination certificate thus obtained can be used by the unvaccinated person when traveling, when entering restaurants, and all places where vaccination certificates are required.
  • Since no one assumes that anyone can obtain their namesake’s EU vaccination certificate, virtually no one verifies the date of birth when checking the EU vaccination certificate.

 

 The third fail:

Possibility of contamination of NHIC database: HOW TO QUARANTINE VIRTUALLY ANYONE

  • We have demonstrated that it is possible to register your (non-)favorite politician, or any person whose name and date of birth you know, through the eHranica application
  • If you fill in a “return” for him/her from any COVID-19 risk country and at the same time this person is not vaccinated (or has not passed COVID-19), he/she is automatically at risk of mandatory quarantine and denial of free movement.
  • The whole eHranica application can thus be trivially contaminated and makes no sense.

 The third fail:

RESPONSIBLE DISCLOSURE OF THE VULNERABILITY

 

  • Vulnerability reporting date to CSIRT: 30.7.2021 at 18:23:43
  • Date of confirmed receipt by CSIRT: 2.8.2021 at 8:32:35
  • Confirmation of the fix for the vulnerability: 9.8.2021 at 11:59:24

Despite the responsible disclosure policy:

 

NHIC has filed a criminal complaint against an unknown perpetrator

(we are the only ones who can be prosecuted)

Despite the responsible disclosure policy:

 

Instead of saying "thank you" NHIC has accused us of:

  • Stealing the birth numbers of citizens (we have never done it because we just generated them from scratch)
  • We publicly misuse NHIC to change the contact details of citizens and steal their data (we have never done it - we followed strictly "Responsible Vulnerability Disclosure" and we did not publish any sensitive information) 

 

 

A black day for IT security in Slovakia

This is a dangerous precedent that will only make the security of state IT systems suffer, as no IT security firm and no individual will have the incentive to report any vulnerabilities in state systems if they have to face the risk of prosecution.

 

Thanks for your attention!