More than 130,000 corona test results unprotected online – digitally


Anyone entering the Berlin Süd test center takes a trip back in time to blue gyms and whistles from sports teachers. The four test stations are in the middle of the gym of the Carl von Ossietzky Comprehensive School in Kreuzberg: gray linoleum floor with colorful lines, basketball hoops on the walls. But instead of sweating teenagers, friendly adults with masks and gloves in sterile packaging await you.

For every dozen employees at the test center, there are only three visitors that afternoon who want to be tested. It is all over quickly: scan the QR code, present your identity card, suppress the gag reflex during the smear. Three minutes later you’re back outside in the drizzle in the school playground. After 17 minutes an email arrives with the result of the rapid test: “Negative result. No Sars-CoV-2-specific antigen could be detected.”

That is the good news. The bad news: 136,000 of these test results remained unprotected online for weeks. This is what experts from Zerforschung – a collective of IT experts – and the Chaos Computer Club (CCC) found out. They warned the relevant authorities. Your analysis lies Süddeutscher Zeitung, Rundfunk Berlin-Brandenburg and the Viennese default in front.

There were gaps in security in the software that the Berlin center uses to set appointments and make their results digitally accessible to those who have been tested. There was no need for someone else’s passwords to access PDF documents on which were noted: the name, address, e-mail address and telephone number of the person tested, the exact time of the test – and the results of the nasal or throat swab.

Like many other centers in Germany, the Berlin Süd test center is operated by the Munich-based company 21Dx. The company confirmed the security gap to the SZ. However, the fault lies with a software called Safeplay from Medicus AI, a company from Vienna. This “Covid-19 platform” is used by more than 150 test centers in Germany and Austria. In any case, Zerforschung and CCC were affected by the gap, according to institutions in Munich, Berlin, Mannheim and Klagenfurt, Austria. In Munich it is the centrally located test station in the residence.

After the Federal Office for Information Security (BSI) was alerted by Zerforschung, it informed Medicus AI. The Austrian company again got in touch with the companies that use its software. A spokesman for the BSI informed the SZ: “The vulnerability was closed at short notice in cooperation with the company. The BSI currently has no evidence that the vulnerability has been misused.”

Medicus AI informed the SZ that the vulnerability was caused “by a bug in a software update from mid-February”. It could theoretically be used “only by a technically well-versed person with the appropriate technical tools”. According to information from the SZ, however, no special software was required to exploit the weak points. A working e-mail address and an ordinary Internet browser are sufficient to access sensitive information of many people. Medicus AI stated that there were 5774 hits on results while the vulnerability existed. However, the company did not deny that 136,000 test results were accessible to unauthorized persons.

According to the General Data Protection Regulation, health data is one of the personal data that needs to be protected particularly well; it falls into the same category as ethnic origin, sexual orientation or religious beliefs.

The Medicus AI software also contained a second loophole: unauthorized persons could log into a portal for employees. There you can use statistics to see how many positive and negative findings there were in a certain period of time. It was also possible to call up photos of the QR codes including the test results. However, this would have required significantly more effort and skill – the freely accessible PDF documents with the test results represented the far greater risk. Both security gaps were closed in the course of the past week.

By the end of last week, the researchers said they could even change the names in many accounts. This made it possible to generate and download existing test results with completely new data. Theoretically, any unauthorized person could have issued a positive or negative result in his or her name. Medicus AI has now also removed this possibility of abusing the system. A member of Zerforschung said: “Basically, they took away all of the errors. The authorization processes were profoundly inadequate.” Linus Neumann from the CCC added: “This is not the first and certainly not the last security gap in hastily tinkered Corona IT.”

Exactly one year ago an employee of Medicus AI wrote in a blog post that the confidentiality of patient data had been important for medicine for centuries. His company will ensure that it stays that way in the future. This confidentiality did not apply to thousands of people who had themselves tested for Corona.

Leave a Reply

Your email address will not be published. Required fields are marked *