“Obviously” unsure: Chaos Computer Club warns of Luca app

“Obviously” unsure
Chaos Computer Club warns of Luca app

The Luca app is supposed to end the paper mess in contact tracking. Twelve federal states are investing tax money in order to be able to use them. But on closer inspection, computer experts discover “unnecessary” security gaps.

The European Hackers Association Chaos Computer Club (CCC) has called for no more tax money to be spent on the Luca app for corona contact tracking. Club spokesman Linus Neumann referred to a “never ending series of security problems” with the system. Previously, data protection activists had pointed out weaknesses in the Luca key fobs, which are intended for people without a smartphone.

“Anyone who scans the QR code (of a key fob) will not only be able to check in under your name in the future, but will also be able to see where you have been up to now,” criticizes Neumann. He referred to research that was published on the Internet under the title “Lucatrack”. “The weak point is obvious and unnecessary. It shows a fundamental lack of understanding of the fundamental principles of IT security.”

“Nevertheless, more and more countries are wasting tax money on the digital promise of salvation without a correct tendering process,” explains the CCC spokesman. “Mecklenburg-Western Pomerania even wants to make the installation a prerequisite for participation in public life.”

Developer admits mistakes

The developer of the app, the Berlin start-up Nexenio, admits “that third parties who were unauthorized in possession of the QR code on the key fob could call up the respective contact history”. “We deactivated this option immediately after the report, and thank you for the message. At no point in time could any contact details such as address or telephone number be retrieved.”

The makers of the Luca app recommend that you only use your personal key fob with QR code for check-in at the establishments intended for this purpose and that you do not publish a photo of your own individual key fob on the Internet in order to “avoid malicious abuse”.

With the Luca system, contact data can be recorded, there are three sides involved: guest, host and health authorities. For example, visitors to restaurants or customers in retail stores receive a QR code that is scanned with the mobile phone app. In the event of an infection, the data should be transmitted directly and encrypted to the cooperating health authorities. The previous paperwork in many companies is to be ended with it.

“Immediate moratorium”

Mecklenburg-Western Pomerania, Berlin, Brandenburg, Lower Saxony, Hesse, Rhineland-Palatinate, Baden-Wuerttemberg, Schleswig-Holstein, Saarland, Bavaria, Saxony-Anhalt and Hamburg are using the app, which was developed by hip-hop singer Smudo von den, among others “Fantastic Four” was supported, one. It is financed through tax revenues. To Research from Netzpolitik.org the federal states are giving a total of 20 million euros for this. This money will be used for the development of the app, the connection of the health authorities and the SMS service to validate the telephone numbers of the users.

The Chaos Computer Club called for an “immediate moratorium” on the use of the Luca app. The awarding practices in the federal states would have to be checked by the Federal Audit Office. Nobody should be forced to use the app to participate in public life. “The country-subsidized roll-out of unchecked software is forbidden for handling highly sensitive health and movement data.”