Temporary unable to retrieve badge history
We received an error report by mail describing the following. First, thanks to the reporter for submitting this issue to us.
As a user of the health department frontend, after entering the serial number of an analog badge, I saw an error message "Error while processing serial number". Thereby, the health department frontend was not able to calculate the secrets from the entered serial number.
Steps to reproduce
- get an analog badge and its serial number
- login into the health department frontend
- click "trace contact"
- enter the serial number in the dialogue
successfully created a new tracing process with a history
error message "Error while processing serial number"
The usage of the base32 encoding for creating the entropy and thereby calculating the userDataSecret and tracingSecret resulted in an error. Hereby, the correct encoding to use is base32Crockford.
Impact/ Resolution / Response
Currently, there are 29,000 badges in use, we do not have a distinction in V3/V4 here. These are currently created by a member of the security team of neXenio on behalf of culture4life and luca and are directly transferred to the producer in NRW without any detours.
Fortunately, so far no infected person from the 29,000 key fobs has become known to the health department and no history had to be retrieved. However, very many have been used for check-ins.
We followed up on this issue. We were able to determine that history retrieval via serial number was no longer possible due to the incorrect renaming of the Base32 Crockford function in one of the latest luca releases.
Since the history was not and is not lost, we could have fixed this directly when we received a support request from a health department. For this purpose, each health department has a technical emergency number that helps directly in such cases. However, such an error was not reported to us by any health department, which is why it was not noticed and the error has not had any effects.
We were able to fix this error immediately in the latest release.
There was no problem with the decryption of check-ins with registered badges during the tracking process. All check-ins of persons with badges could be successfully processed and contacted in the course of the tracking process.
We created this issue for transparency and possible open discussion points, as this issue itself is already resolved. This issue will get closed in the next few days.