Hackers had the chance to send people into self-isolation or acquire the EU Digital Covid Certificate of a specific person by only discovering how to generate their birth number (rodné číslo in Slovak).
These two gaps in the state-run systems were recently uncovered by ethical hackers from the Nethemba company, which claimed that the National Health Information Centre (NCZI) has failed to protect the personal data of millions of people.
“We identified a way to receive the EU vaccination of everybody who has been inoculated – to demonstrate this, we acquired the certificates of prominent politicians,” the company wrote on its website. “All we needed was their name and birth date, which can be found on Wikipedia.”
The company reported the problems to the state in late July. In about a week, both flaws were corrected, the Živé.aktuality.sk website reported.
Still, it is not the first time NCZI has faced criticism over its systems. Nethemba pointed to the risk of a personal information leak from the Moje eZdravie app in September 2020.
Problems with birth numbers
One problem concerned the verification of birth numbers (rodné číslo in Slovak).
As there is a pattern to generate the birth numbers based on the sex and birth name of a person, the hackers came up with a group of potential birth numbers. They verified the numbers through a special service run by the Health Care Surveillance Authority (ÚDZS), which makes it possible to discover whether the person has a valid health insurance. If the birth number does not exist, the system reports an error.
Originally, it was possible to type in the name of a person to link the number with him or her, but this possibility was scrapped from August 6. However, the service itself continues to run, meaning that it is still possible to find out whether a specific birth number exists, Živé.aktuality.sk reported.
Manipulating the eHranica form
The form is linked to the system run by NCZI, where it stores information concerning the pandemic, such as on testing or vaccination.
The person is required to fill in personal data, which is subsequently linked with other data in the NCZI system. However, the contact data registered during testing or vaccination is always rewritten in the NCZI database if filled in the eHranica form.
In this way, an email address or a phone number can be changed without sending any notification to the person about the change.
This means a potential attacker can register the person with a different email address or a phone number, and then receive all confirmations and verification codes. The victim has no way of finding out the problem, unless they registered through eHranica with the correct contact data.
Moreover, the person registered by the hackers could have been restricted in movement by currently valid quarantine rules even if he/she did not travel anywhere.
Obtaining vaccination certificates
The eHranica problem also made it possible for potential attackers to obtain access to details on testing and vaccination. If they know the name of a person and their birth number, they automatically receive a personal Covid-19 pass to the registered email or phone number.
This personal Covid-19 pass can be used in other systems run by NCZI, including a system generating the EU Digital Covid Certificates, which contain information on Covid recovery, testing or vaccination.
This EU pass could be potentially downloaded by the attacker and used where it serves as an entry requirement.
Though the flaw was corrected in early August, Nethemba is asking to scrap the eHranica app altogether.
16. Aug 2021 at 17:31 | Compiled by Spectator staff