The hacker Fluepke has managed to move a TI connector from Secunet into a virtual machine. He wants to use it to send data to the health network.
CCC hacker Fluepke analyzed a connector – a particularly secure router – from Secunet and got the connector’s operating system running in a virtual machine (VM). Among other things, he wants to use it to connect to the health network (the telematics infrastructure, TI) of Gematik GmbH, which is responsible for the digitization of the health system – for further analyses.
Fluepke has been documenting his progress on Twitter for two weeks.
During his analysis, he found that essential parts of the file systems are encrypted. The challenge for the hacker was to access the connector’s secured Linux operating system. He decrypted the app partition and the configuration partition using the smart card – the so-called device-specific security module card type connector (gSMC type K). With the serial number of the card reader on the connector mainboard, he was able to determine the PIN of the gSMC-K. In addition, the communication between card and connector was unencrypted.
He was therefore able to record the communication and play it back in his VM in a replay attack (replay attack). He integrated the card readers via the virtual smart card emulator. It turned out that with the Secunet connector there is apparently no hardware link between the connector card and the connector hardware. The gSMC-K is bound to the file system because it contains the keys for the file system. According to Fluepke, if the card is removed from the connector, the decryption no longer works.
SINA anchored in the Telecommunications Act
There are different file systems in the connector, some of them are encrypted. In order to be able to access it, Fluepke started the Linux kernel with the “dm-crypt-sina.ko” decryption module. He made the previously recorded communication of the gSMC-K available to the decryption module. So he could mount and read all file systems.
The name of the crypto module indicates that the connector hardware is related to the “Secure Inter-Network Architecture” (SINA) developed by Secunet and the Federal Office for Information Technology (BSI). SINA is used to send data with the highest level of confidentiality via the Internet. The German armed forces, for example, use the corresponding devices (SINA L2 Box, SINA L3 Box). According to the Telecommunications Act (TKG), Internet providers above a certain size are obliged to use SINA boxes as part of an automated information procedure. The SINA architecture outlined by Secunet is similar to that of the connector.
Is the TI compromised?
Fluepke himself emphasizes that he only decrypted the Secunet connector but did not attack the TI. This is only possible with an SMC-B registered to a doctor and a corresponding VPN access service. Only in this way should it be possible to gain access to the productive environment of the TI and search for vulnerabilities there. Therefore, the TI is not currently compromised.
Secunet has since responded to Fluepke’s reverse engineering. The connector manufacturer endorses the approach “because it serves to raise awareness of the important issue of IT security”. However, Fluepke’s results do not mean that there are weak points, users do not have to worry. Only code previously signed by the manufacturer can run on the device. Secunet points out that a potential hazard can only emanate from an unlocked device and improperly disposed of device. The connector used by Fluepke is “presumably a regularly commissioned and registered Secunet connector that was not decommissioned in accordance with the organizational measures before it was passed on (deregistration).” However, according to Secunet, with this connector there is no possibility of accessing the specialist services – for example for the e-prescription – or, in other words, not patient data.
The described PIN derivation from the serial number is only required for the initial setup. Although code fragments from SINA are present in the connector, the devices build “fundamentally [auf einer] different architecture and contain their own key and PIN management”. The security of the SINA boxes is therefore not at risk.