Two months ago, L.A.-based security researcher Kristian Erik Hermansen was signing up for Obamacare via the Covered California site. Given his background in finding vulnerabilities in software and websites, spotting security flaws is second nature to him, and he couldn’t help but notice problems with the California site, which has seen the most registrations for healthcare in the country.
The technical problems with the website set up for the Affordable Care Act have been well-documented. When critics started calling the main federal Obamacare site a “hacker’s dream,” people rightly pointed out that the more sensitive information — social security numbers, incomes, and birthdates — is instead in the hands of the state-level portals. That of course is exactly what the Covered California site is. Hermansen discovered a vulnerability that would allow someone to take over another person’s account on the California site, and review or change the information entered there. He tried contacting Covered California “at least 15 times” by email, phone or chat about the problem, but got no response for over a month. “They must have been overwhelmed by people seeking help with the site,” he says.
On December 24, he finally got through by phone to a Covered California representative and he explained the issues he’d found, but they remained unfixed and he didn’t hear back from them. Given that it was Christmas, that’s not terribly surprising. But Hermansen, frustrated that the flaw had been out there for over a month already, decided two days later to release a video of the exploit to YouTube and posted it to a security sub-Reddit. That got the attention of a Covered California lawyer who contacted him to take the video down, and also flagged it with YouTube; it was soon removed. The lawyer’s tone was contrite in the email. “I am sorry no one responded to you earlier,” he wrote. “We will have to figure out where or how your prior message to us got lost.”
Hermansen then spoke by phone to the lawyer and a chief security person. “They were not interested in talking about the security issues but about getting the video or any other online mention of the flaw taken down,” he says.
In the grand scheme of things, the vulnerability was not a major one. You would need to know someone’s username in order to take over their account, and you would only be able to see the last 4 digits of their social security number if you did break in. Hermansen says he found more serious issues — such as an exposed admin interface and a potentially raidable database that might have made it easy to steal complete social security numbers en masse — but that he did not explore or expose them publicly to avoid running afoul of the law. He was most dismayed though by how the site’s administrators reacted to his finding flaws: first ignoring him, then trying to sweep his disclosure under the rug, rather than immediately addressing or fixing the problem that he had found.
This is a common complaint from white-hat hackers. They find security problems in products and the people who make those products aren’t often eager to hear about them or to see them exposed. However, given the controversy surrounding Obamacare and its websites, I was surprised they would ignore a problem like this. Hermansen’s posting the video publicly did get the job done. By mid-January, it appears the account-hijacking issue has been fixed. I created a test account for Hermansen to try to access and he was unable to.
On Wednesday, Hermansen says the FBI visited him and told him not to talk about this publicly anymore. “This chilling effect on security research is not the best way to serve the public interest,” he says.
Matt Ploessel, a security researcher who collaborated with Hermansen, reported the problems to the government’s vulnerability clearinghouse US-CERT. He says he also got a call from the F.B.I. Wednesday. “They told me that creating a test account because we didn’t want to touch real live data is fraudulent,” Ploessel says. “In our industry, getting a visit from the FBI when you do something good is not unusual, but it’s still scary.”
“Covered California meets all state and federal regulations regarding online security and privacy,” says Covered California spokesperson Anne Gonzales. “Consumer protection is a high priority for Covered California, and we take it very seriously. We built protections into the system, we monitor the system continuously and we are ready to address any possible issue as it might arise. Should a security breach occur, we would notify any affected consumer directly.”
Hermansen argues that a breach could have already occurred if anyone has taken advantage of the flaw he found. He was cheered by news this month that the House has passed a bill that would require the Department of Health and Human Services to notify people of any potential breaches of their information through the health sites. Ploessel says the 48-hour requirement in the bill is unrealistic though. It has not yet passed in the Senate. Conservative lawmakers, eager to find flaws in any aspect of Obamacare, are holding a hearing Thursday morning about the risk of identity theft through Affordable Care Act-affiliated sites.
Hermansen did not try to find vulnerabilities on other state Obamacare portals. “I only look for vulnerabilities in the sites I actually use when not hired to do so,” he says. He does think that Covered California and other sites need a better reporting mechanism for security flaws.