Serious flaw in eHranica form: attackers able to send people into self-isolation

Ethical hackers from the Nethemba company uncovers two serious flaws in state systems, the second concerning EU vaccination.

Illustrative stock photoIllustrative stock photo (Source: Pixabay)

Hackers had the chance to send people into self-isolation or acquire the EU Digital Covid Certificate of a specific person by only discovering how to generate their birth number (rodné číslo in Slovak).

These two gaps in the state-run systems were recently uncovered by ethical hackers from the Nethemba company, which claimed that the National Health Information Centre (NCZI) has failed to protect the personal data of millions of people.

“We identified a way to receive the EU vaccination of everybody who has been inoculated – to demonstrate this, we acquired the certificates of prominent politicians,” the company wrote on its website. “All we needed was their name and birth date, which can be found on Wikipedia.”

The company reported the problems to the state in late July. In about a week, both flaws were corrected, the Živé website reported.

Still, it is not the first time NCZI has faced criticism over its systems. Nethemba pointed to the risk of a personal information leak from the Moje eZdravie app in September 2020.

Problems with birth numbers

One problem concerned the verification of birth numbers (rodné číslo in Slovak).

As there is a pattern to generate the birth numbers based on the sex and birth name of a person, the hackers came up with a group of potential birth numbers. They verified the numbers through a special service run by the Health Care Surveillance Authority (ÚDZS), which makes it possible to discover whether the person has a valid health insurance. If the birth number does not exist, the system reports an error.

UPDATED: Coronavirus app reveals personal data, IT security firm found Read more 

Originally, it was possible to type in the name of a person to link the number with him or her, but this possibility was scrapped from August 6. However, the service itself continues to run, meaning that it is still possible to find out whether a specific birth number exists, Živé reported.

Manipulating the eHranica form

Under currently valid rules, anyone coming to Slovakia from abroad has to fill in the eHranica online form.

The form is linked to the system run by NCZI, where it stores information concerning the pandemic, such as on testing or vaccination.

The person is required to fill in personal data, which is subsequently linked with other data in the NCZI system. However, the contact data registered during testing or vaccination is always rewritten in the NCZI database if filled in the eHranica form.

In this way, an email address or a phone number can be changed without sending any notification to the person about the change.

This means a potential attacker can register the person with a different email address or a phone number, and then receive all confirmations and verification codes. The victim has no way of finding out the problem, unless they registered through eHranica with the correct contact data.

Moreover, the person registered by the hackers could have been restricted in movement by currently valid quarantine rules even if he/she did not travel anywhere.

Obtaining vaccination certificates

North Koreans and Russians. How did hackers target Slovakia? Read more 

The eHranica problem also made it possible for potential attackers to obtain access to details on testing and vaccination. If they know the name of a person and their birth number, they automatically receive a personal Covid-19 pass to the registered email or phone number.

This personal Covid-19 pass can be used in other systems run by NCZI, including a system generating the EU Digital Covid Certificates, which contain information on Covid recovery, testing or vaccination.

This EU pass could be potentially downloaded by the attacker and used where it serves as an entry requirement.

Though the flaw was corrected in early August, Nethemba is asking to scrap the eHranica app altogether.

Top stories

No single list of foreigners who are entitled to vote in Slovakia exists.

It is a simple question. How many foreigners vote in Slovakia?

The million-dollar question the state and towns can hardly answer.

24. sep
Reconstruction work on the Monument of Liberation and Victory, unveiled in 1955 in the Dargov mountain pass, which commemorates the liberation of eastern Slovakia from Nazism.

Police have finally found a very old book, arresting alchemy buffs

Set out on a Malá Fatra hike, avoid the Bratislava cable car from Monday.

24. sep
Not all stretches of the long-awaited D4/R7 bypass of Bratislava will open as originally planned.

Problems with Bratislava bypass opening continue

Not all of its stretches will be put into operation on Sunday as officially planned.

24. sep
Bratislava Mayor Matúš Vallo speaks to foreigners at [fjúžn] festival's "Ask the Mayor" event.

Foreigner’s community has a big voice, but it needs to be more organised

Bratislava Mayor Matúš Vallo addressed the questions and concerns of foreigners in Bratislava during a special Q&A.

23. sep
Skryť Close ad