[Security] Activate forced update to a current CWA version ASAP

[vaubaehn]

Avoid duplicates

• [X] Bug is not mentioned in the FAQ
• [X] Bug affects both Android and iOS
• [X] Bug is not already reported in another issue

Technical details

• Device name: all
• iOS/Android version: all
• App version: all CWA < v2.7

Describe the bug

Before CWA v2.7, there was no check to validate the signature of an EU DCC implemented into our app. The signature check was introduced with CWA 2.7. Currently there are reports, that the DGC issuance web services of many EU countries may have been abused by criminal groups, which were able to let fraudulent EU DCCs be signed with official signing certificates: https://github.com/ehn-dcc-development/hcert-spec/discussions/105 Observers claim that these certificates have/had "valid" signatures and may have been sold to people who do not want to get vaccinated. These certificates could/can be imported into CWA or other wallet apps, as long as their signatures are not validated (CWA < 2.7) or validated as legitimate DCCs (CWA >=2.7). Moreover, a collection of fake certificates (with "valid" signatures) has been found, of which the certificates have either been created as a proof of abilities for "customers" by the criminal groups, or as "real" sold/spread/used fraudulent DCCs. Additionally, news reports from Germany recently revealed criminal activity, where fraudulent DCCs may have been issued by legitimate access through pharmacies by malicious employees or their systems were abused by black hats.

Meanwhile, steps are taken to block fraudulent DCCs from official contact tracing/wallet apps. For now, at least some of the DCCs that were part of the collection (mentioned above) are marked as "invalid" in contact tracing apps like CWA or checking apps like CovPassCheck, in Germany and other countries. EDIT: Please check @Ein-Tim 's repo to follow the progress, which DCCs of that collection are marked as valid/invalid by our German apps or apps from other countries: https://github.com/Ein-Tim/covid-cert-analysis-check-apps/blob/main/RESULTS.md

The problem is that the invalidation of fraudulent DCCs can only be achieved by apps that have built-in signature/validity checks for scanning/import/storing. CWA <v2.7 does not.

Expected behaviour

To decrease the spread of fraudulent DCCs, any CWA version must not be able to scan/import/present invalid DCCs as legitimate. This means, CWA versions before 2.7 need to be disabled.

Possible Fix

Activate the forced update mechanism for all CWA versions to a version from CWA 2.7 on. Related: https://github.com/ehn-dcc-development/hcert-spec/discussions/105#discussioncomment-1566196 Affected Code (a tribute goes to @Ein-Tim): https://github.com/corona-warn-app/cwa-server/blob/5841b438c9d6c73504c19a3e160f777aa1a1a803/services/distribution/src/main/resources/application.yaml#L119

After an update of all CWA users to a version that checks signatures or has additional checks for legitimation of DCCs, it's getting more hard to handle fraudulent DCCs for the "common user". This form of discouragement (making it a bit more inconvenient to handle unlegitimate DCCs) may help as one possible factor to decrease the spread of these bad DCCs.

Additional context

We all know, checking QR codes with the official checking apps is necessary. But we all also know, that currently this practice is rather rare. As long as not all hosts everywhere scan QR codes with these apps, disabling CWA versions that do not validate legitimation of DCCs will help quite much in this situation.

I guess that the forced update is already on your to do list. @thomasaugsten and @mlenkeit are already informed via the discussion referenced above. So, this issue here is mainly to follow the progress of this process.

---

Internal Tracking ID: EXPOSUREAPP-10252

[dsarkar]

Good morning @vaubaehn, thanks for the report: Internal Tracking ID: EXPOSUREAPP-10252

[Jo-Achim]

I think it is necessary to use all possibilities to prevent fraud at the DCCs or to prevent fraud as much and as fast as possible. Thanks!

[vaubaehn]

To make this issue here a bit more urgent: There is a concrete risk, that exchanging EU DCC QR codes and presenting them to gate keepers with wallet apps that don't validate the legitimacy of the certificate can become mainstream soon for big proportions of populations in several countries. This public forum is an example of a current process: https://raidforums.com/Thread-TRADING-make-EU-green-pass?page=87

Only good news from this thread that I could extract for now is, that all publicly reachable DGC issuance web services/front-ends for EU DCC are obviously down (or not publicly reachable) for some time.

@daniel-eder @SchulzeStTSI I'd propose for your next international meeting to also discuss whether and how older versions of official national apps with wallet functionality (like CWA < v2.7) that do not validate signature/legitimacy of EU DCCs can be disabled (via kill switch and alike) in their countries. See OP here for details.

[vaubaehn]

@dsarkar and @heinezen One more thought on this: If you (or better: RKI) actually decides to force an update for previous CWA versions, I'd strongly suggest to have a public announcement released via press media long enough before (e.g., one week), before the app config is changed. Otherwise we'll see many complaints of people again, who are just about to present their vacc DCCs to gate keepers, but can't because CWA requires an update... and all the old versions will still have that annoying behavior. Probably a good time for deploying the change of the app config could be during the night hours - then hopefully most of the users will get the update notification when they open their app in the morning before they leave the house (hey, everyone is doing like me, aren't they?) and have a chance to update on their home wifi.

[MikeMcC399]

@vaubaehn See https://github.com/corona-warn-app/cwa-app-android/issues/4263#issuecomment-956033746:

Additionally it would be worth considering whether a forced auto-update is necessary or whether a soft auto-update could be used, with a grace-period for update, followed by a forced auto-update (if absolutely necessary) after a certain deadline has passed.

Indeed, we have an internal ticket for this proposal: Internal Tracking ID: EXPOSUREAPP-10201

[Jo-Achim]

One more thought on my part on the fly (because I have not read all the links) - if I have correctly understood the problem of 'reimporting the certificates':

Without being able to estimate the effort, I believe that all the requirements for 'automatic / semi-automatic certificate handling' are in place.

The following mechanism could help with a CWA forced update: Old CWA version <2.7: no: do nothing more. Ready. yes: are certificates stored in the CWA? no: do nothing more. Ready. yes: save all certificates as a file (if necessary with the functionality of the newer CWA version) / delete all certificates in the CWA / semi-automatic: 'user dialog': import existing certificates from the files in the directory ('Downloads' or similar) - with the necessary validity check. Semi-automatic done, ready. Or fully automatic: instead of the 'user dialog', automatically import the exported certificates again - here, of course, also with the corresponding validity check and handling if one or more certificates do not meet the necessary requirements. Fully automatic finished, ready.

[vaubaehn]

@MikeMcC399

See corona-warn-app/cwa-app-android#4263 (comment)

Thanks for the hint! Would be nice if implemented quickly. However, this won't affect all other versions today, including 2.13.2.

@Jo-Achim If I got you right, you're proposing how to migrate (export, re-import) already stored DCCs to a new CWA version? As far as I can think there is no migration necessary currently. The structure of the DCCs is still the same, it's just CWA that decides on how to display a DCC - as a valid one with QR code displayed, or as an invalid one without scannable QR code.

[Jo-Achim]

Ah, thanks. That should make things easier with a 'fully automated' solution - without losing certificates.

[vaubaehn]

@mlenkeit Although the situation improved a bit, and more admission control is accomplished by using CovPassCheck, I'm still on CWA 2.6.1 and able to use my self-created DCCs. Could you provide information whether a forced-update of CWA to a fraud-preventing version is planned for the future? Thank you!

[vaubaehn]

Hi @mlenkeit , is there any decision on this issue? Especially when the feature of handling invalidated/revoked certificates is implemented, a force update seems to be of great value, imho. What are your plans?

[dsarkar]

@vaubaehn Currently there are no plans on using the forced update feature.

[vaubaehn]

Hi @dsarkar , thanks for your response. You did not provide any reason for this (non-)decision, nor do I have any idea, whether there may be a good reason for this at all, but well...

I will share the good news for counterfeinters and the bad news for the part of the trust seeking community in a corresponding discussion group with the EU DCC team that prepared the basics for the revocation feature in https://github.com/ehn-dcc-development/hcert-spec/discussions/105 later in the day.

[vaubaehn]

I will share the good news for counterfeinters and the bad news for the part of the trust seeking community in a corresponding discussion group with the EU DCC team that prepared the basics for the revocation feature in ehn-dcc-development/hcert-spec#105 later in the day.

Done: https://github.com/ehn-dcc-development/hcert-spec/discussions/105#discussioncomment-2532216

[larswmh]

Closing this issue as the related internal ticket is set to obsolete.

Developer comment:

The signature check in the CWA is not a security feature. It does not prevent someone from checking with the CovPass-Check App.