CVE-2021-33838
📋 TL;DR
The Luca COVID-19 contact tracing app for Android versions through 1.7.4 leaks sensitive information about users' COVID-19 status. Remote attackers can correlate check-in state requests with phone number registration requests to determine whether users have been flagged for COVID-19 exposure. This affects all users of the vulnerable Luca app versions.
💻 Affected Systems
- Luca COVID-19 contact tracing app
📦 What is this software?
Luca by Luca App
⚠️ Risk & Real-World Impact
Worst Case
Attackers could identify specific individuals who have tested positive for COVID-19, enabling targeted harassment, discrimination, or social engineering attacks based on health status.
Likely Case
Attackers monitoring network traffic could statistically identify groups of users who have been exposed to COVID-19, potentially revealing outbreak patterns or compromising privacy of affected individuals.
If Mitigated
With proper network segmentation and encryption, the correlation attack becomes significantly more difficult, though not impossible for determined attackers with network access.
🎯 Exploit Status
Exploitation requires network monitoring capabilities and timing analysis of API requests. The vulnerability is well-documented with public technical analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.7.4
Vendor Advisory: https://luca-app.de/securityoverview/properties/objectives.html
Restart Required: Yes
Instructions:
1. Open Google Play Store on Android device
2. Search for 'Luca'
3. If update available, tap 'Update'
4. Restart the app after update completes
🔧 Temporary Workarounds
Disable app or use alternative
androidUninstall the vulnerable Luca app version or use an alternative COVID-19 contact tracing solution
adb uninstall de.culture4life.luca
Use VPN for all app traffic
androidRoute all Luca app traffic through a trusted VPN to prevent network monitoring
🧯 If You Can't Patch
- Disable the Luca app completely until patched
- Use device-level VPN to encrypt all network traffic from the device
🔍 How to Verify
Check if Vulnerable:
Check app version in Android Settings > Apps > Luca > App info. If version is 1.7.4 or earlier, you are vulnerable.Check Version:
adb shell dumpsys package de.culture4life.luca | grep versionNameVerify Fix Applied:
Verify app version is greater than 1.7.4 in app settings. Monitor network traffic to confirm timing correlation between check-in and registration requests is no longer detectable.📡 Detection & Monitoring
Log Indicators:
- Multiple API calls to Luca backend with trace IDs in quick succession
- Pattern of check-in state requests followed by phone registration requests within short time windows
Network Indicators:
- HTTP/HTTPS traffic to Luca backend servers with specific API endpoints being called in predictable sequences
- Correlation of timing between /checkin and /register API calls
SIEM Query:
source="network_traffic" dest_ip="luca-backend-ips" (uri_path="/api/checkin" OR uri_path="/api/register") | stats count by src_ip, uri_path | where count > threshold🔗 References
- https://github.com/mame82/misc/blob/master/luca_traceIds.md
- https://luca-app.de/securityoverview/properties/objectives.html
- https://www.ccc.de/de/updates/2021/luca-app-ccc-fordert-bundesnotbremse
- https://www.youtube.com/playlist?list=PLKuX6iczGb3kuDsm2RFgbmRkTugkR9-UE
- https://github.com/mame82/misc/blob/master/luca_traceIds.md
- https://luca-app.de/securityoverview/properties/objectives.html
- https://www.ccc.de/de/updates/2021/luca-app-ccc-fordert-bundesnotbremse
- https://www.youtube.com/playlist?list=PLKuX6iczGb3kuDsm2RFgbmRkTugkR9-UE
