More than 130,000 Corona test results were on the web unprotected

Anyone entering the Berlin South Test Center takes a trip back in time to blue gyms and sports teachers' whistles. The four test stations are located in the middle of the gymnasium of the Carl-von-Ossietzky-Gemeinschaftsschule in Kreuzberg: gray linoleum floor with colorful lines, basketball hoops on the walls. But instead of sweaty teenagers, friendly, guaranteed sterile adults with masks and gloves await you.

On this afternoon, there are only three visitors who want to be tested for every dozen employees of the test center. Accordingly, everything is over quickly: scan the QR code, present your ID card, and suppress your gag reflex during the smear test. Three minutes later, they're standing outside again in the drizzle in the school playground. After 17 minutes, an e-mail arrives with the result of the rapid test: "Negative result. No Sars-CoV-2 specific antigen could be detected."

That's the good news. The bad news: 136,000 of those test results sat unprotected on the web for weeks. That's what experts from Zerforschung - a collective of IT experts - and the Chaos Computer Club (CCC) found out. They warned the responsible authorities. Their analysis has been made available to the Süddeutsche Zeitung, the Rundfunk Berlin-Brandenburg and the Wiener Standard.

There were security gaps in the software used by the Berlin center to assign appointments and make their results digitally available to those tested. It didn't need someone else's password to access PDF documents on which were noted: The name, address, e-mail address and telephone number of the person tested, the exact time of the test - and the results of the nasal or throat swab.

The Berlin South Test Center, like many other centers in Germany, is operated by the Munich-based company 21Dx. The company confirmed the security gap to the SZ. The error, however, is in software called Safeplay from Medicus AI, a company based in Vienna. This "Covid-19 platform" is used by more than 150 test centers in Germany and Austria. In each case, according to Zerforschung and the CCC, the breach affected facilities in Munich, Berlin, Mannheim and Klagenfurt, Austria. In Munich, the test station in question is the centrally located one in the Residenz.

After the Federal Office for Information Security (BSI) was alerted by Zerforschung, it informed Medicus AI. The Austrian company in turn contacted the companies that use its software. A BSI spokesperson told SZ, "The vulnerability was closed in cooperation with the company at short notice. The BSI currently has no indication that the vulnerability has been abused."

Medicus AI told SZ that the vulnerability was caused "by a bug in an update of the software from mid-February." It could theoretically be exploited "only by a technically very skilled person with the appropriate technical tools." According to the SZ, however, no special software was needed to exploit the vulnerabilities. A functioning e-mail address and an ordinary Internet browser were enough to access sensitive information of many people. Medicus AI stated that there were 5774 accesses to results while the vulnerability existed. However, the company did not deny that 136,000 test results were accessible to unauthorized people.

Health data is among the personal data that requires special protection under the General Data Protection Regulation, falling into the same category as, say, ethnic origin, sexual orientation or religious beliefs.

Medicus AI's software also contained a second vulnerability: Unauthorized persons could log into a portal for employees. There, statistics can be used to track how many positive and negative findings there were in a given period. It was also possible to call up photos of the QR codes together with the test results. However, this would have required much greater effort and skill - the far greater risk was posed by the freely accessible PDF documents with the test results. Both security vulnerabilities were closed last week.

By the end of last week, the researchers were even able to change the names in many accounts, according to their own information. This made it possible to create and download existing test results with completely new data. Theoretically, any unauthorized person could have issued a positive or negative result in his or her name. Medicus AI has since removed this ability to abuse the system as well. A member of Zerforschung said, "Basically, they took everything in error once. The authorization processes were highly flawed." Linus Neumann of the CCC added, "This is not the first and certainly not the last security flaw in hastily crafted Corona IT."

Exactly one year ago, a Medicus AI employee wrote in a blog post that patient data confidentiality has been important to medicine for centuries. He said his company will ensure that remains the case in the future. For thousands of people who got tested for Corona, that confidentiality didn't apply.