Security Implications Of Covid-19 Contact-tracing Mobile Apps – Experts Commentary

According to reports, the UK government’s Covid-19 contact-tracing app remains on schedule for launch in May despite ongoing privacy concerns and only recently passing through alpha testing, leading UK scientists told MPs.

Notify of

4 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Darren Wray
Darren Wray , CTO & Co-founder
InfoSec Expert
May 8, 2020 3:11 pm

This is a welcome statement from the committee. Many organisations, including governments, have a hoarder mentality, keeping as much personal data as possible and keeping it far beyond its useful life. Obviously the GDPR says that data should only be kept as long as is required for the purpose, but very few organisations truly audit their data in this way and so the data is kept. The answer to this problem is to design software from the ground up with the ability to honour data retention policies and requirements and I hope that the comments from the committee are an indication of the realisation and implementation of these requirements.

Given the purpose of the collection of this data is to prevent the spread of COVID-19, the expiry date of the service and of the data should be closely aligned to this purpose. The service and the data collected should, therefore, expire when the crisis has subsided.

The data collected and processed should also be minimised as required by current data privacy regulation. The amount of centralised data should be minimised, the ideal, although rejected by the Government previously, would mean that the information about who comes into contact with whom should only be stored on a user\’s phone and should automatically expire every few weeks.

Last edited 2 years ago by Darren Wray
David Emm
David Emm , Principal Security Researcher
InfoSec Expert
April 30, 2020 3:37 pm

New forms of technology, such as the NHS contact tracking app, are currently being implemented in order to help manage the country’s response to the pandemic and to help save lives. With the prospect of the government using the app to collect sensitive health data about the population on a mass scale, it’s of vital importance that this information is managed correctly, and is properly secured and encrypted to keep it safe.

A key concern regarding the NHS contact tracking app is that the government has chosen not to follow the decentralised model that looks set to be adopted in many countries; and instead opt for a centralised approach that includes real-time location tracking. However, it’s important that a significant portion of the population installs and uses the app as concerns about privacy might put people off. Privacy concerns are critical to an app’s success and in this instance, the data should be handled in a balanced way that manages both the safety and privacy concerns of citizens.

Last edited 2 years ago by David Emm
Samantha Isabelle Beaumont
Samantha Isabelle Beaumont , Senior Security Consultant
InfoSec Expert
April 30, 2020 3:36 pm

Tracing applications that allow attackers to access a user’s Bluetooth also allows them to fully read all Bluetooth communications. This includes items in the user’s car, music they listen to, household IoT devices, and more. Users can protect themselves by limiting the number of applications they download, by limiting the number of Bluetooth items they pair, by limiting the number of Bluetooth items they keep as whitelisted, known devices, and by limiting the amount of information they are transferring over mechanisms such as Bluetooth.

Tapping applications requires a means of storing, analyzing, and transferring the data tapped for analysis. I would recommend ensuring data that isn’t required for analysis is deleted, and data that is required should be encrypted, securely stored, and transferred only for as long as it is needed. For any data used there should be mechanisms in place to ensure that data is only moving one way and cannot be tampered with. There also needs to be a mechanism in place to ensure the validity and integrity of that data.

It’s important to ensure that third-party peripherals follow a basic standard for Bluetooth implementation, wherein gaps are covered from the operating system or hardware system in Google or Apple devices respectively. Examples include supported encryption mechanisms for messages in transit and link key generation for pairing mechanisms. Apple and Google can also work on a framework foundation for other Bluetooth peripherals—like how the app stores work, but for Bluetooth mechanisms. This way, the device OEMs can begin to ensure a level of security and safety for users as they become more intertwined into third-party services.

Last edited 2 years ago by Samantha Isabelle Beaumont
Joshua Berry
Joshua Berry , Associate Principal Security Consultant
InfoSec Expert
April 30, 2020 3:32 pm

Contact tracing applications use Bluetooth Low Energy (BLE) advertisements to send and collect messages to identify contacts made with other users. In general, the reception of messages can present an opportunity for an attacker to send malformed data that could be mishandled by devices and applications. This is one way that a device could be compromised. However, in the case of a contact tracking app, the message content sent to devices over BLE contains data that is intended to be passively collected and stored by the mobile application. A mobile application that only performs this basic functionality would not alone present sufficient functionality for an attacker to be able to exploit to gain control over a mobile device. An attacker could attempt to overload a user\’s device with BLE messages that appear to the mobile device as sufficiently valid to store which could cause the application to not function as desired or to later receive false positive contact notifications.

The larger concern that I have regarding the use of such applications is with regard to privacy. If someone does not feel comfortable with a positive diagnosis being known publicly, they should understand that these applications could expose some details about when and where they have been in the recent past with other users of the system. Even if a contact tracing application does not collect and share GPS location data, this data could be shared with other people as part of the contact tracing process. If governments would like for people to opt into such applications, they should address these concerns. They should consider making it clear what is collected, where it is stored, and use mobile application features to enforce these limits. For example, if GPS location is optional and a user chooses to opt out of collecting or sharing these details, the application should not require access to the mobile platform\’s location services.

Last edited 2 years ago by Joshua Berry
Information Security Buzz
Would love your thoughts, please comment.x