c’t reveals: Critical security leak in the rescue service system IVENA


When the ambulance service has to come, seconds often make the difference – once the patient has been examined, they are often quickly transported to a hospital. Ideally in one that can accommodate him and provide him with the best possible care. Because the trip to an overcrowded or improperly equipped emergency room can not only be expensive, but in the worst case even life-threatening, many rescue control centers and hospitals now rely on software and networked systems.

More from c't magazine

More from c't magazine

Such a system is called IVENA, the abbreviation stands for “Interdisciplinary Proof of Care”. The hospitals enter their resources into the online system – for example, capacities in the emergency room, doctors by specialist area and diagnostic devices. The employees in the rescue service who have examined the patient on site and need a place in the hospital give the rescue control center a six-digit code, the PZC code, by radio or cell phone. The first three digits encode the patient’s suffering, the following two digits the age, and the last digit the urgency.

IVENA then shows free hospitals with the appropriate equipment for the patient for the catchment area. The dispatcher in the control center selects a clinic, registers the patient there and gives the name of the hospital to the ambulance service. It is noted in the IVENA database that the patient is on the way and that a resource will be blocked for the near future.

IVENA also runs in hospitals, not only on PC workstations, but often also as a large information screen in the emergency room. There, the staff can see in a table which patients are currently on their way, can prepare and prioritize urgent cases. IVENA can trigger additional alarms via various interfaces, for example by pager or via the hospital’s telephone system.

IVENA shows the occupancy of the hospitals in tables with traffic light colors, among other things. The assignment of patients to hospitals should become more efficient.

The original idea for IVENA came from Hessen. The company mainis IT-Service GmbH has been developing the software together with the Frankfurt Health Department since 2009. It is now distributed throughout Germany. In some cases, individual municipalities order and operate an IVENA instance, in many federal states (e.g. in Lower Saxony, Berlin, Brandenburg, Saxony-Anhalt and Hesse) platforms run nationwide or almost nationwide.

The program runs in the browser and every customer, i.e. a municipality or an entire federal state, has to operate its server instance itself – mostly in public-sector data centers. IVENA uses the reported capacities and the cases to generate a tabular overview by hospitals and uses a traffic light system to show how busy the facilities are for each time period.

This overview can be viewed in many IVENA instances as a citizen without access data. In Lower Saxony about under, in Hessen under In Munich the operators have this block public access in 2018after data journalists from Bayerischer Rundfunk used the freely available data to research inconvenient details about the supply situation and the overloading of hospital staff.

We became aware of IVENA through a tip from a reader. He had the software in one TV report by Norddeutscher Rundfunk seen through the ambulance service. In the browser window of a control center computer from Hanover, which was shown in the film, he noticed a suspicious detail: A cryptic character string was attached to the address, obviously a so-called session ID. This reminded the whistleblower of the beginnings of web development: until around the beginning of the 2000s, it was customary to append such a character string to the address after successful registration on websites that are provided with an authentication. This enabled the server to recognize the user’s session.

However, web developers have long abandoned this concept. The problem: Such a URL, including the key for an active session, ends up in the browser, for example, or users accidentally send the URL to others. Whoever receives the link is automatically registered. Instead, the session ID is now stored in cookies.

One of the fatal mistakes: The developer’s web server delivered an overview page for folders. This made it easy to find the file with the password.

Those who use such an antiquated security concept, so the whistleblower thought, could drag along with them further security problems from days long past. So he took a closer look at the application from Lower Saxony that he had seen in the film. He also looked around the manufacturer’s homepage. He found what he was looking for in an easily traceable path: The operator had neglected to set the directory listing on the Apache web server.

This is also a typical relic from bygone times. If you navigated to the path of a folder, the server showed an overview page of its contents. It was easy to navigate using links. In this way our reader found an INI file which, in addition to a few settings, also contained a user name and password; According to the comments, the access was intended for a development instance from IVENA. Without further ado, he tried out the data on the Lower Saxony platform – and was registered. With this knowledge he turned to our editorial team with concern.

c’t 24/2020

This article is from c’t 24/2020. In it, the c’t editors provide detailed PC purchase advice and building suggestions for the optimal PC. She has tested partner exchanges and reveals the tricks of Parship & Co. as well as the security gap in the IVENA online rescue system. c’t 24/2020 is now in the Heise shop and available at the well-stocked magazine kiosk.

To home page