In the S-Protect web browser, which is intended to enable secure online banking at savings banks, the manufacturer Coronic has sealed some of the vulnerabilities discovered by c’t. According to the advertising promises of the savings banks and the manufacturer, the browser should also allow secure online banking on infected computers. However, c’t examination of the browser revealed several shortcomings that made this promise seem questionable.
The Coronic company has since released the updated version of S-Protect 188.8.131.52, which aims to correct the flaws discovered by c’t. He also took a stand on the corporate blog. Changes have also been made to the advertising statements on the manufacturer’s website.
The c’t investigation team checked the updated version to see if and which of the reported security holes have been filled in the meantime. Coronic announces on the blog that “the gap for solving keystrokes” has been closed internally. However, the fix is incomplete. The c’t keylogging test script worked again with a minimal adjustment: instead of “keys down” it now responded to “keys up”.
Another vulnerability was a missing or incorrect signature check, which allowed c’t to replace an executable file from the S-Protect working directory with its own unsigned file. This was then previously done by S-Protect. Coronic has corrected this error in an understandable way.
Additionally, the company has now extended S-Protect screenshot protection to the virtual keyboard. This on-screen keyboard is meant to protect against keylogging, but so far inputs can be logged by simple means using screenshots. Due to protection, the keyboard now appears black in recordings. However, this blackening can be prevented, as it is not already documented in the original analysis.
Coronic arguments in the declaration don’t always work. Coronic explains, for example, that when the contents of the window were saved as a PDF with a remote maintenance connection, the attack had already occurred before the remote maintenance was installed. That’s right, and exactly the situation that matches the original advertising promise: an attacker has infiltrated your computer, but online banking with S-Protect should still be safe.
The manufacturer of S-Protect also writes on his blog: “Another sticking point is finding a known password in main memory. If the password is already known, the attack has already occurred.” This statement raises more questions than it answers. Because apparently the manufacturer is unaware that S-Protect stores bank login data according to a specific pattern in main memory when the user logs into a bank. Using this model, c’t was able to find the login data reproducibly in plain text even using S-Protect 184.108.40.206 without having to look up the login username or PIN.
Apparently Coronic is not very enthusiastic about the c’t investigation team’s report: “The claims in the article are dubious or misleading. The product, its purpose and function have not been understood correctly and reproduced incorrectly.” . However, the advertising promises on the website have since been defused by the manufacturer.
Changes can be tracked using the Wayback Machine. From the state of May 20, 2022, “You can use any PC and any mobile device with PROTECT products safe work, even if the operating system already is compromise è. “the weakened version from 04.06.2022” With PROTECT the products can be used on any PC safer work, even if the operating system potentially compromised is.”
Reactions from savings banks
Sparkasse am Niederrhein no longer offers the browser publicly for everyone, but has placed a customer login in front of it. As a precaution, Kieler Förde Sparkasse has meanwhile removed the information “that S-Protect enables safer online banking even on infected computers”.
It is unclear how intensively the Sparkasse browser was checked by the German Association of Savings and Giro Banks (DGSV) before it was released for bank customers. The association had explained to non c’t that S-Protect was checked by the Sparkassen-Finanzgruppe (S-CERT) security team prior to the conclusion of the agreement with the manufacturer. However, the DSGV left the result open.
After another request, the Savings Banks Association has now released further details. As a result, the security experts discovered several shortcomings during the security audit: “In October last year, S-CERT examined the then current version of the browser Protect from manufacturer Coronic. Weaknesses were found. “explained the DSGV. According to the association, these weaknesses were passed on to the manufacturer for processing.
Asked if the manufacturer had also eliminated the security deficiencies discovered at the time, the Association of Savings Banks replied: “As far as we know, the manufacturer Coronic has followed these instructions.” So far, the association has left unanswered if there was a new examination by the S-CERT.