Cybersecurity Experts Reaction On Contact Tracing App ‘Fails’ NHS And Cyber Security Tests

It has been reported that the government’s anticipated coronavirus tracing app has failed crucial security tests and is not yet safe enough to be rolled out across the UK. It is understood the system has failed all tests needed in order for it to be included in the NHS Apps Library, including cyber security, clinical safety and performance. The NHSX app is being trialed across households on the Isle of Wight this week and is due to be rolled out nationally, if successful, later this month. The app uses Bluetooth to alert a mobile user when they have spent more than 15 minutes within 6ft of someone who has tested positive for Covid-19 or experienced symptoms. It will also advise the user to self-isolate if they have come into contact with someone who is infected. But senior figures described the app as a ‘bit wobbly’ and have raised concerns it could affect public trust if privacy settings aren’t tightened. There are fears particularly regarding users’ personal information once they log that they have tested positive or recorded symptoms, meaning they then become ‘traceable’.

Subscribe
Notify of
guest

4 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Matt Lock
Matt Lock , Technical Director
InfoSec Expert
May 7, 2020 9:17 pm

Unprecedented times lead to unprecedented measures. Chances are, you would be willing to bend your digital privacy rights during the current crises if it meant you could keep you and your family safer. We can’t keep our eyes off the long-term consequences after enabling this kind of technology and bending privacy rules. Once lifted, privacy restrictions aren’t guaranteed to be put back in place. That the data is anonymized shouldn’t really help people rest easy – researchers have found that anonymous information can be traced back to individuals. It’s one thing to know health officials are keeping tabs on your location to keep you safer.

Beyond governments using this technology for questionable motives in the future, it must be assumed that this tracking will fall into the wrong hands. The idea that anyone, including a cybercriminal, could use this technology to track your movements and keep tabs on the people you meet would be a no-go for many individuals – despite the promised short-term gains.

Last edited 2 years ago by Matt Lock
Samantha Isabelle Beaumont
Samantha Isabelle Beaumont , Senior Security Consultant
InfoSec Expert
May 6, 2020 7:37 pm

Tracing applications that allow attackers to access a user’s Bluetooth also allows them to fully read all Bluetooth communications. This includes items in the user’s car, music they listen to, household IoT devices, and more. Users can protect themselves by limiting the number of applications they download, by limiting the number of Bluetooth items they pair, by limiting the number of Bluetooth items they keep as whitelisted, known devices, and by limiting the amount of information they are transferring over mechanisms such as Bluetooth.

Tapping applications requires a means of storing, analysing, and transferring the data tapped for analysis. I would recommend ensuring data that isn’t required for analysis is deleted, and data that is required should be encrypted, securely stored, and transferred only for as long as it is needed. For any data used there should be mechanisms in place to ensure that data is only moving one way and cannot be tampered with. There also needs to be a mechanism in place to ensure the validity and integrity of that data.

It’s important to ensure that third-party peripherals follow a basic standard for Bluetooth implementation, wherein gaps are covered from the operating system or hardware system in Google or Apple devices respectively. Examples include supported encryption mechanisms for messages in transit and link key generation for pairing mechanisms. Apple and Google can also work on a framework foundation for other Bluetooth peripherals—like how the app stores work, but for Bluetooth mechanisms. This way, the device OEMs can begin to ensure a level of security and safety for users as they become more intertwined into third-party services.

Last edited 2 years ago by Samantha Isabelle Beaumont
Joshua Berry
Joshua Berry , Associate Principal Security Consultant
InfoSec Expert
May 6, 2020 4:57 pm

Contact tracing applications use Bluetooth Low Energy (BLE) advertisements to send and collect messages to identify contacts made with other users. In general, the reception of messages can present an opportunity for an attacker to send malformed data that could be mishandled by devices and applications. This is one way that a device could be compromised. However, in the case of a contact tracking app, the message content sent to devices over BLE contains data that is intended to be passively collected and stored by the mobile application. A mobile application that only performs this basic functionality would not alone present sufficient functionality for an attacker to be able to exploit to gain control over a mobile device. An attacker could attempt to overload a user\’s device with BLE messages that appear to the mobile device as sufficiently valid to store which could cause the application to not function as desired or to later receive false positive contact notifications.

The larger concern that I have regarding the use of such applications is with regard to privacy. If someone does not feel comfortable with a positive diagnosis being known publicly, they should understand that these applications could expose some details about when and where they have been in the recent past with other users of the system. Even if a contact tracing application does not collect and share GPS location data, this data could be shared with other people as part of the contact tracing process. If governments would like for people to opt into such applications, they should address these concerns. They should consider making it clear what is collected, where it is stored, and use mobile application features to enforce these limits. For example, if GPS location is optional and a user chooses to opt out of collecting or sharing these details, the application should not require access to the mobile platform\’s location services.

Last edited 2 years ago by Joshua Berry
Jake Moore
Jake Moore , Cybersecurity Specialist
InfoSec Expert
May 6, 2020 4:55 pm

Contact tracing was offered to the government in two very different ways – centralized and decentralized. Centralized tracing comes with concerns around security and safety, and could be the start of another Cambridge Analytica-esque scandal. Having a third party private company with shareholders analyse the data could potentially pose not only a security problem but also another data handling issue.

We mustn’t become complacent around the security of our private data, as once we lose it, there is the chance of it being abused in the future.

Last edited 2 years ago by Jake Moore
Information Security Buzz
4
0
Would love your thoughts, please comment.x
()
x