39C3: How a researcher outsmarted the secure medical mail network again

IT security researcher Christoph Saatjohann is no stranger to the world of medical IT. He has been critically observing the introduction of the telematics infrastructure (TI) since 2019. In previous years, he already pointed out the flaws in a system that is actually intended to secure communication in the German healthcare system. Under the label "Communication in Medicine" (KIM), doctor's letters, electronic certificates of incapacity for work, and laboratory results are sent daily. However, the assessment that Saatjohann has now presented in Hamburg at the 39th Chaos Communication Congress (39C3) is disillusioning: the promise of almost seamless security has not yet been fulfilled, even after years of corrections.

Not everything is bad. Saatjohann admitted that KIM has now been well-received in practices and that Gematik has already closed previously reported vulnerabilities – such as serious errors in key management. But as soon as one hole is plugged, new abysses open up. The professor for embedded and medical IT security at Münster University of Applied Sciences thus reported on a "KIM of Death": through incorrectly formatted emails, attackers could specifically crash the client module – the software interface at the doctor's office.

In one case, Saatjohann had to intervene himself in a practice where he is allowed to experiment part-time on weekends and write a Python script to manually delete the blocking messages from the server. "It was a close call that the practice was working again on Monday," he commented on the implications of such a denial-of-service attack. Theoretically, such an attack could paralyze all approximately 200,000 KIM addresses simultaneously.

Attachment service allows data mining

Vulnerabilities in the new KIM Attachment Service (KAS), which allows sending files up to 500 MB, proved to be particularly insidious. Since the client module reloads attachments from external servers, attackers can, according to Saatjohann, substitute their own servers as download sources for the system. The result is large-scale "IP mining." Perpetrators could thus obtain a precise overview of a critical infrastructure; this would include the IP addresses of practices, pharmacies, and health insurance companies that want to download the attachment.

Even worse: since T-Systems, as the mail server operator, temporarily did not validate the sender field ("Mail-From"), KIM messages could be faked with any sender – for example, in the name of the Federal Ministry of Health. The professor warned: since such emails enjoy a "special degree of trust," this would be the perfect basis for highly effective phishing campaigns.

The identity verification within the walled-garden system of the TI also proved to be leaky. Saatjohann demonstrated how he could easily create a KIM address under a false name, as the plausibility of the addresses was not checked. Furthermore, he was able to sign KIM messages with any TI key without the recipient module raising an alarm: the check between the signature and the actual sender was missing. Even reading encrypted messages was possible under certain conditions. By substituting their own POP3 server and exploiting a faulty certificate check of the client modules, messages could be forwarded in plain text to an attacker.

BSI: Patients not acutely endangered

The Federal Office for Information Security (BSI) reacted with concern to the revelations but tried to limit the damage. To NDR and Süddeutsche Zeitung, the authority explained that the security vulnerabilities found could only be exploited with technical expertise. An immediate risk to patients was unlikely.

Nevertheless, criticism of the security culture in the KIM system remains. While Gematik reacted quickly to Saatjohann's reports and released hotfixes for the client modules and stricter certificate checks in mid-November, T-Systems did not respond to the researcher. According to Saatjohann, the vulnerabilities were fixed there silently, but transparent communication or documentation was lacking.

Despite the new shortcomings, Saatjohann drew a differentiated conclusion. He emphasized that the architecture was "structurally flawed" in many places. This was also due to the complexity of over 130 different practice management systems, all of which had to meet their own security requirements. However, the KIM system fundamentally operates "at a rather high level." The security risk is still lower compared to completely unencrypted fax transmissions or conventional emails. He himself would rather send sensitive data via KIM than via conventional means.

The scientist also pointed out: "A residual uncertainty remains." Although Gematik is planning further protective measures, such as an additional signature in the mail headers, through a pre-release made available for consultation. However, as long as the authentication of client modules is not mandatory and the free choice of sender names is possible, KIM remains a solution whose anchor of trust stands on shaky ground.

(nie)