Yesterday, the first UK contact-tracing app was introduced via the COVID-19 review. The app will be undergoing a trial run, on the Isle of Wight. Council staff and healthcare workers have been invited to install it today, ahead of a wider release across the island, on Thursday. Though this is the case, many concerns have been raised about the app and the issues surrounding the publics’ privacy. Different countries have already implemented this form of measures, such as South Korea and Singapore.
One thing that got under my skin was the NHSX (the NHS’s cyber unit) has stressed that the use of the app will be voluntary. This contradicts the statement of Matt Hancock; “islanders will then be asked to install the app” by order from the chief nurse. That doesn’t seem very voluntary to me.
In being a curious soul, I asked one of my colleagues the very apt and intelligent question of “what cybersecurity issues could come from the trackin’ app that the government’s pumpin’ out?” And he replied with a list of issues that could go wrong with it. We, then, proceeded to discuss the issues for about twenty minutes. In light of this, I have done some research and pulled together the issues that we could be facing upon downloading this app.
Of course, with the ability to track and store locations on your phone (and then in government ownership for future statistics), there will be a wealth of people just waiting to pick up on that data. A scenario that my colleague and I thought up was the following; you suspect that your partner may be cheating on you and you know that the COVID-19 outbreak served to collect location data from millions of people, including your partner. How much would you pay to find the truth? And, before you know it, you’re living in an episode of Black Mirror.
There could be targetted attacks on hundreds of thousands of people. By following you or simply getting within your range, someone could connect to your Bluetooth-ed phone, declare themselves sick and then you’re asked to self-isolate, even if that person declared it accidentally or maliciously. In severe cases, someone could have the app on several phones that they own and then proceed to have a wander around. A similar thing occurred, over two months ago, when a Berlin artist used ninety-nine phones to trick Google into broadcasting a traffic jam warning (article here). Now, imagine if all of those phones were registered with the contact-tracing app. If they declare that they have symptoms of COVID and you’ve been near them, suddenly you’ve been in contact with ninety-nine people that have COVID when it could all be a ploy to get you to self-isolate.
Bluetooth as a Secure Service
After having a quick read-through of this article, I’ve found six issues with the insecurity of Bluetooth, which I will go through now.
- The BlueBorne Attack: Last year, millions of Bluetooth devices were taken over over Bluetooth in moments. Though Amazon and Google have corrected this issue, it was only the doorway into further problems.
- Key Negotiation or Bluetooth Attack: Any device that uses Bluetooth (versions 1.0 through to 5.1) is vulnerable to this form of attack where attackers can listen in on your Bluetooth traffic.
- Bluetooth Tracking: (See Location Tracking.)
- Bluejacking: An attacker sends you a ‘business card’ via text message and, upon opening it, your phone will ask to activate Bluetooth. If you do this, you may have added your device to the attacker’s contact list, allowing them to send you malevolent files at any time.
- Bluesnarfing: Though there are few cases of this, it is still a risk. This involves an attacker connecting to your Bluetooth device and extracting any data they want. This could be anything, from phone numbers and e-mail addresses to calendar appointments and photos.
- Bluebugging: An attacker establishes a connection to your phone over Bluetooth and uses that authorization to call a paid telephone number that they have set up. By the end of this, they’ve made money and left you with an awfully steep phone bill.
Now we, at Samurai, aren’t here to tell you not to use the app but to inform you of its risks. In this dire time, trust is a massive bonus and it’ll help bring us all together but there will always be someone ready to take advantage of all our hard work.
You’re aware of what you gain and what you risk from the new contact-tracing app. Now, you can make an informed decision. Stay safe.
If you have any questions about this article, please contact the Samurai team here.