Criticism of the publication How safe is the Corona warning app?

Status: 16.06.2020 3:01 a.m..

The official German Corona warning app can be downloaded as of today. It gets off well with privacy advocates. Nevertheless, there is criticism of their safety.

The hotline in particular could be a possible point of attack.

By Dennis Horn, WDR.

Data protection activists and experts had a lot of praise for the German Corona warning app even before it started. You make “overall a solid impression,” says the Federal Data Protection Commissioner Ulrich Kelber in the “Saarbrücker Zeitung”. “In Germany it took a little longer. But that was also correct,” said the computer scientist Henning Tillmann, chairman of the digital-political association D64, of the tagesschau .

Nevertheless: After the source code was published, SAP and Deutsche Telekom also recently had to deal with a series of headlines that questioned the security of the app.

Embed video.

Terms of use Embedding Tagesschau: By clicking on the item “I agree”, the user accepts these terms and conditions. This gives the user the opportunity to use the video player free of charge and non-exclusively for embedding in their own offer. The user expressly recognizes the free editorial responsibility for the content provided by the Tagesschau and will therefore use it unchanged and in full only within the scope of the requested use.

In particular, the user may not change the logo of the NDR and the daily news in the NDR video player. In addition, the use of logos, brands or other signs of the NDR requires the prior consent of the NDR. The user guarantees that the offer will be played or displayed without advertising. If the user presents advertising in the vicinity of the video player in their own online presence, this must be designed in such a way that a reference can neither be made directly nor indirectly in terms of content between the NDR video player and the advertising messages. In particular, it is not permitted to interrupt the program offerings by advertising or to use other forms of online typical advertising, such as pre-roll or post-roll displays, split screen or overlay.

The video player is made available unencrypted by the user. The user will not charge any third party for using the NDR video player. Digital rights management systems used by the user may not be used.

The user is responsible for including the content of the Tagesschau in his online presence. The user will license any rights that may be necessary from the collecting societies directly and will release the NDR from any claims by the collecting societies with regard to making accessible within the framework of the online presence or will reimburse the NDR for any costs incurred.The right to revoke this usage license then lies in particular if the user violates the provisions of these terms and conditions. Irrespective of this, the authorization to use a video ends if the NDR cannot further distribute it for legal reasons (in particular copyright, media or press law). In these cases, the NDR will take the offer offline without prior notice.

The user is prohibited from using the corresponding offer from this point in time. The NDR can change these terms and conditions at any time after giving advance notice. They become part of the right of use if the user agrees to the changed terms and conditions.

To embed, just copy the HTML code and paste it on your page.

Telephone hotline as a possible security gap.

The hotline for infection reports is a particularly sensitive point. Together with a positive test result, users should also receive a QR code that they can scan with the app. This is how you can confirm that you are indeed infected.

But many laboratories are not prepared to generate these QR codes securely enough – a sign of the omissions in digitization.

This is how the warning app works.

At the beginning, users are therefore asked to call a hotline in the event of an infection, which also comes into play if users lose QR codes or have other problems with scanning them. The hotline staff then ask a series of questions to ensure that the callers actually tested positive.

Exactly this hotline could also become a possible – human – security gap: If trolls were able to cheat their way through the questions and trigger false alarms, the users’ trust in the app could be permanently damaged.

TÜV subsidiary would have liked more time for tests.

A safety notice came from the TÜV-Nord subsidiary TÜV-IT. Its experts checked the app on behalf of the Federal Office for Information Security and discovered serious deficiencies in the TAN codes that users can enter in the event of an infection. The algorithm with which these codes were generated was initially too easy to crack.

This error has been fixed. His testers are “pretty enthusiastic about how quickly and with what quality the developers reacted to weak points that were still discovered,” praised TÜV IT boss Dirk Kretzschmar. He also told the specialist portal “heise online” that he would have liked more time for tests and later publication.

Large parts of the app are still unchecked.

Can infected users be identified?

A paper by scientists from the Technical University of Darmstadt and the Universities of Marburg and Würzburg recently caused a stir. They had shown that attackers can identify infected users and create movement profiles about them.

Everything you need to know about the virus.

However, this option does not affect the German Corona warning app itself, but the interfaces in the Google and Apple operating systems, which official official Corona apps can access.

It has long been known that there are also security risks at this point. In order to be able to exploit them, however, attackers would have to put in such an enormous effort that the discussion would be more of an academic one.

Good grades from experts – but not a sure-fire success.

In the end, it stays that way: the Corona warning app is mostly getting good grades from experts for the moment. But it will probably not be a sure-fire success. The Bluetooth technology that the app relies on is being misused – it was never intended for tracking contacts.

And the possibility of even greater security risks occurring cannot be ruled out – after all, no software is one hundred percent secure.

Corona Warn App: Federal Minister Lambrecht warns to be careful Alfred Schmit, ARD Berlin June 16, 2020 6:34 a.m..

The Tagesschau reported on this topic on June 16, 2020 at 9:00 a.m..