Your critical infrastructure bug won't be fixed and this is why
Water, electricity, transportation—all of them are critical infrastructures. In Germany, everything classified as part of a critical infrastructure has to conform to security and safety guidelines. I had some nightmares^Wexperiences with these in the past. And I decided to only work on projects classified as critical infrastructure if I could do defensive research, despite being a mostly offensive security researcher. This blog post outlines why offensive critical infrastructure research is a bad idea, and is also a long rant about an article that will be released in a German magazine on December 19th. Sorry for ranting!!!!1!11
Critical infrastructure security
Critical infrastructure is regulated and has to follow various certifications. Disclaimer, I'm not an expert on this. However, certifications are both good and bad:
- Everything classified as critical infrastructure has to pass various tests, ensuring it is safe and secure.
- Such tests are limited in scope and prevent the ability to roll out fixes in a timely manner.
- If this component has flaws, how could it be fixed?
- Who is going to pay for the fix?
- Is the flaw so severe that it is worth fixing?
German electronic health card terminals
Confirming the bug
- The older offline variant of the device has a serial port below a lid on the bottom. Everything else on the bottom is covered with foil to protect against drilling.
- The newer online variant does no longer have the serial port. The manual claims the bottom lid is glued and cannot be opened but it can still be opened.
- It's possible to bypass this foil by properly cutting it.
- Then, the contacts of the doctor's card reader inside the terminal can be accessed, which transmit sensitive data in plaintext.
While confirming the terminal manipulation, I was talking to two people working in the German health system. Both confirmed that drug dealing based on terminal manipulation was almost impossible due to all the additional physical checks. Like, even if you have some digital prescription, you still need to get the drugs somewhere, everything is documented along the path, and can be traced back. Moreover, to intercept data in a doctor's office, it is much easier to install a web cam.
- Wasting money for minimal security improvement.
- Partial disclosure and hiding information about possible attacks.
- September 27: Initial contact with c't.
- October 26: c't reporter sent me the terminals.
- November 13: I quit the project.
- December 1: c't article draft.
- December 17: c't reporter informed gematik about the findings.
- December 18: c't reporter published heise article without informing me or gematik.
- December 19: c't news magazine with article released.