Security flaws in card terminals in doctor’s offices and health insurance apps

For decades, the federal government overslept the digitization of medicine, now it cannot go fast enough. From the coming year, everything from electronic patient files and e-prescriptions to tele-consultation will gradually run through apps on the smartphone. With hundreds of medical and health apps in the Apple and Google stores, there has so far been little opportunity for users to check their quality.

Why such a quality check is important, however, shows a security check of almost two dozen apps from German health insurances, which the computer magazine c’t carried out together with the NDR and David Wischnjak, security consultant at Ciphron GmbH. Vishnyak found, among other things, login data and passwords in plain text, outdated software libraries and unencrypted data transfers in the code of the Android apps. The security expert sees some catching up to do with the use of trackers, the parameters of transport encryption and the APK signature process. Numerous AOK apps that offered little more functionality than a website made a negative impression. Only the TK app was able to convince the c’t authors.

More from c't magazine

More from c't magazine

In another hacking experiment with card terminals, c’t reveals the simple handicraft utensils with which the security precautions of the ORGA 6141 Online card reader from Ingenico, which is widely used in medical practices, can be bypassed within a few minutes. After a tip from an anonymous hacker group, the c’t editors were able to purchase terminals on eBay – without proof of medical activity.

We sent the test devices to Dr. Jiska Classen from the Secure Mobile Networking Lab (SEEMOO) at TU Darmstadt to examine the hackers’ attack path as outlined. Dr. Classen was able to cut through an electronic protective film behind an unsecured bottom flap of the terminal within a few minutes without triggering a security alarm. The unprotected contacts of the card slot for ID cards for health professionals are located under the film. The operation was documented by Dr. Classes in one video.

c’t hacker experiment with Ingenico card terminal:

The video shows how easily the electronic protective film in the ORGA 6141 card terminal can be cut open online by Ingenico.

(Source: c’t – magazine for computer technology)

The anonymous hackers could use a logic analyzer to access unencrypted commands and PIN entries in the device from these contacts. Security expert Thomas Maus, who analyzed the group’s attack path for c’t, therefore sounded the alarm: through the gap in the device, attackers could hide a small micro-computer with WiFi, access and manipulate health data, and write prescriptions. According to Maus, the card terminal would not meet the security requirements required by the Common Criteria.

It is still unclear why the card terminals sealed with BSI seals have an easy-to-open bottom flap. This is neither glued – as described in the manual – nor secured with seals from the BSI. The deviation between the device and the manual contradicts the security requirements of the Common Criteria, according to which the terminals are specified.

It is noteworthy that Gematik GmbH, which is responsible for organizing and securing the telematics connection of the medical practices, apparently suspected when the card terminals were approved three years ago how easily an attacker could overcome the technical protection. But instead of demanding more robust technology, they contented themselves with organizational security requirements. Doctors and clinics are allowed to leave said terminals unattended for a maximum of ten minutes.

The doctors we interviewed were previously unknown. Since doctors and clinics are still legally responsible for the security of their patients’ data, they must be given particularly detailed information about any risks. However, there is still no data protection impact assessment of the telematics infrastructure that would meet this information requirement.

An estimated 145,000 medical practices and clinics in Germany are currently connected to the telematics infrastructure. When we asked, the manufacturer did not want to tell us how many of them are using Ingenico card terminals. However, the number should be six digits. A possible recall or replacement of the vulnerable devices would therefore be associated with considerable costs.

Shortly before the introduction of the electronic patient file on January 1, 2021, the data security of the telematics infrastructure is in a desolate state. At the beginning of the week, security researchers from the Chaos Computer Club discovered around 200 incorrectly configured telematics connectors that allow attackers free access to patient and health data. The security researchers want details on their analysis between the holidays on the Remote Chaos Experience to introduce.

Focus on medical IT

Read more about the problems of apps and card terminals in the healthcare sector in c’t 1/2021

Update 6:20 p.m .:

Meanwhile, the Gematik has to uncover the security gap responds.

In this, the Gematik refers to an English blog entry by the security expert Dr. Jiska Classen. Among other things, the statement says:

“Gematik has informed the manufacturer and the Federal Office for Information Security about the attack path and the researcher’s results. Together with the manufacturer, gematik will discuss how this vulnerability can be remedied in future generations of devices low practical usability does not affect the existing approval or card terminals in the field. ”

c’t had informed the manufacturer Ingenico, the BSI and Gematik after months of research with Thomas Maus on September 14th of the security gap and the possible attack method. After we met Dr. Classen later consulted, it had come to an argument between her and Thomas Maus about the effects of the security gap. c’t finally had with Dr. Classen mutually agreed on the statements concerning her and received an OK from her for publication. However, she published essential parts of the research on her blog the day before c’t without prior agreement.


To home page