A number of serious security breaches have been discovered in the contact tracing app that the NHS is currently testing to stop the spread of Covid-19. A team of experienced security researchers have discovered various issues that can affect user privacy and even sabotage the app itself. The app is currently being tested on the Isle of Wight ahead of its possible national rollout, and has been touted by the British government as a key weapon to help stop the epidemic.
NHS coronavirus app
The team behind the report consisted of independent researcher and speaker, Dr. Chris Culnane and Vanessa Teague, CEO of Thinking Cybersecurity. Among the "miscellaneous" issues discovered by the pair were several weaknesses in the registration process that could allow attackers to steal encryption keys. This could allow intruders to prevent users from being notified if one of their contacts tested positive for Covid-19, or could even send fake alerts. The app has also been found to store unencrypted data on phones that can be used by police to determine when two or more people are meeting. The team also found that the app generated a new random ID code for users once a day, as opposed to a rival app developed by Apple and Google that generated a new code every 15 minutes for added security. The Apple and Google app appears to work on Android and iOS devices that use low-power Bluetooth signals to create a map of the people a user has been in contact with. Teague and Culnane recommend that the NHS move from the "centralized" approach it currently uses, where data is shared and contact tracing is done on a central server system, to a "decentralized" approach, where matching occurs between user devices. "There can always be bugs and security holes in decentralized or centralized models," Teague said. "But the big difference is that a decentralized solution would not have a central server with the recent face-to-face contacts of each infected person." "Therefore, there is a much lower risk of this database being leaked or misused."
Alert
The team said it had shared its findings with the National Cyber Security Center (NCSC), which in turn told the BBC that it was already aware of most of the issues raised and was in the process of trying to resolve them. Measures such as publishing the code and explaining the decisions behind the app were expected to spark constructive discussions with the security and privacy community," an NCSC spokesperson said in a statement. . "We look forward to continuing to work with security and cryptography researchers to make the app the best it can be." "This app was never going to be perfect from the ground up, but it's refreshing to hear that the government is listening to independent research and accepting suggestions with future revisions," said Jake Moore, ESET cybersecurity specialist. "As with many apps, the first version is rarely useful, but it is available on users' phones, where they can easily deploy new versions. "Once the app is available to the majority of people, their intentions will clearly have better effects. However, the biggest problem is the evident lack of legislation that protects this data. Not knowing if and how the data could be used for the future, or even if it will be deleted, is important to users. It is essential that the privacy of the public be at heart. Otherwise, the public may give you back to the app before it had time to roll out to the right amount of people and go into some sort of effect." Via BBC