COVID-19 tracing app fails NHS and cyber security tests
It has been reported that the government’s anticipated COVID-19 tracing app has failed crucial security tests and is not yet safe enough to be rolled out across the UK. It is understood the system has failed all tests needed in order for it to be included in the NHS Apps Library, including cyber security, clinical safety and performance.
The NHSX app is being trialed across households on the Isle of Wight this week and is due to be rolled out nationally, if successful, later this month. The app uses Bluetooth to alert a mobile user when they have spent more than 15 minutes within 6ft of someone who has tested positive for COVID-19 or experienced symptoms.
It will also advise the user to self-isolate if they have come into contact with someone who is infected. But senior figures described the app as a ‘bit wobbly’ and have raised concerns it could affect public trust if privacy settings aren’t tightened. There are fears particularly regarding users’ personal information once they log that they have tested positive or recorded symptoms, meaning they then become ‘traceable’.
Commenting on this, Joshua Berry, Associate Principal Security Consultant at Synopsys, said: “Contact tracing applications use Bluetooth Low Energy (BLE) advertisements to send and collect messages to identify contacts made with other users. In general, the reception of messages can present an opportunity for an attacker to send malformed data that could be mishandled by devices and applications. This is one way that a device could be compromised.
“However, in the case of a contact tracking app, the message content sent to devices over BLE contains data that is intended to be passively collected and stored by the mobile application. A mobile application that only performs this basic functionality would not alone present sufficient functionality for an attacker to be able to exploit to gain control over a mobile device.
“An attacker could attempt to overload a user's device with BLE messages that appear to the mobile device as sufficiently valid to store which could cause the application to not function as desired or to later receive false positive contact notifications.
“The larger concern that I have regarding the use of such applications is with regard to privacy. If someone does not feel comfortable with a positive diagnosis being known publicly, they should understand that these applications could expose some details about when and where they have been in the recent past with other users of the system.
“Even if a contact tracing application does not collect and share GPS location data, this data could be shared with other people as part of the contact tracing process. If governments would like for people to opt into such applications, they should address these concerns.
“They should consider making it clear what is collected, where it is stored, and use mobile application features to enforce these limits. For example, if GPS location is optional and a user chooses to opt out of collecting or sharing these details, the application should not require access to the mobile platform's location services.”
Samantha Isabelle Beaumont, senior security consultant at Synopsys, added: “Tracing applications that allow attackers to access a user’s Bluetooth also allows them to fully read all Bluetooth communications. This includes items in the user’s car, music they listen to, household IoT devices, and more.
“Users can protect themselves by limiting the number of applications they download, by limiting the number of Bluetooth items they pair, by limiting the number of Bluetooth items they keep as whitelisted, known devices, and by limiting the amount of information they are transferring over mechanisms such as Bluetooth.
“Tapping applications requires a means of storing, analysing, and transferring the data tapped for analysis. I would recommend ensuring data that isn’t required for analysis is deleted, and data that is required should be encrypted, securely stored, and transferred only for as long as it is needed.
“For any data used there should be mechanisms in place to ensure that data is only moving one way and cannot be tampered with. There also needs to be a mechanism in place to ensure the validity and integrity of that data.
It’s important to ensure that third-party peripherals follow a basic standard for Bluetooth implementation, wherein gaps are covered from the operating system or hardware system in Google or Apple devices respectively. Examples include supported encryption mechanisms for messages in transit and link key generation for pairing mechanisms.
“Apple and Google can also work on a framework foundation for other Bluetooth peripherals—like how the app stores work, but for Bluetooth mechanisms. This way, the device OEMs can begin to ensure a level of security and safety for users as they become more intertwined into third-party services.”