As a bonus to the corona self-tests of the manufacturer aesku, which are consulting at ALDI at the cash register, there is also an online function. If you have tested, you can have a QR code on the package up to FUF negative certificates. The idea of AESKU: such certificates ied by the manufacturer should become the key for hairdressing and restaurant visits as well as events. But our exam shows that not only the basic idea is fragwurround. Error in the technical implementation, the certificates made factually worthless and caused a data leak in addition.
The first weakness of the certificate system of AESKU: on the 5-pack of the self-tests is visible from auben visible a QR code, over the one on the website ichestemichselb.DE up to five negative certificates can retrieve. You just have to click on that you have tested yourself negatively. Achieving the own identity card or fuser license number and gets the PDF file with the certificate.
The online certificate creation at AESKU is based on trust. If you have tested yourself, you will be asked to answer the question of the test result truthful.
AESKU used in the download URL as the only variable element the creation date of the certificate in the form of a UNIX timestamp, ie the number of seconds that have passed since new year 1970. By paying the seconds ruckwarts, we managed to download foreign certificates by script. After just a few hours, we had downloaded hundred PDF files.
So we came to a number of identity card numbers and fuhrer license numbers – because the users in the free text field could enter everything possible, were also name underneath.
But that’s not all. An investigation of the PDF certificates that you should save on the smartphone or to take a look at the hairdresser, revealed another problem: the QR code used therein can be checked online, including the code that only printed on the pack. So if you get the certificate in hand, you can use the contingent of online certifications for the 5er box and ie up to four more certificates.
According to our note, the company densitized the data leak first and replaced the unix timestamp by a 32-bit long ID, apparently a hash that is no longer guessing. The case of the manufacturer’s external data protection officer as a notifiable incident in the sense of the DSGVO and informed the state data protection officers.
However, the necessary repairs do not otherwise that one continues to approach the packages in the shop or about the certificates to the packing ID, the online self-certification does not provide any protection against abuse. As the manufacturer himself writes, the procedure is based on trust. The shirt-regulated online allocation of the certificates of aesku does not contribute to trusting. Technically, we found a system at the booth of a fresh prototype.
The online breakdown is not affected by the offline functionalitat of the tests. Applied for the pure self-control, which can be made quite their purpose. As a ticket to public life, the procedure did not have the procedure. Four days after our reference, AESKU then decided and set the function to generate online certificates.