Manual contact tracing is a process that has been used for centuries in the control of infectious diseases. Contact researchers trace and identify those who have been in contact with an infected person and advise or oblige them to self-quarantine, thereby limiting the spread of the disease. Since the beginning of the current coronavirus pandemic, many countries have sought to accelerate and streamline contact tracing via mobile applications. With more than 30 different digital systems currently being developed by governments and health authorities, cybersecurity professionals have been quick to point out the drawbacks of such applications. Aside from their potential to enhance state surveillance, contact tracing apps could provide the ideal outlet for malicious actors looking to exploit software vulnerabilities and access personal data. So just how great is the security threat posed by contact tracing applications?

Contact tracing apps work by using Bluetooth LE connections to log the devices a user comes into close contact with. For example, Singapore’s TraceTogether app identifies each device via a 128-digit number or UUID so that any data gathered is anonymous (although the central database administrator can identify users by linking the UUID with their telephone number). In terms of privacy, Bluetooth applications supplant alternatives such as GPS or WiFi location data as they track proximity rather than location. However, experts have raised concerns about the risks of having Bluetooth switched on at all times as well as the applications’ susceptibility to hacking.

In November 2019, security researchers reported a critical vulnerability affecting Android 8, 8.1 and 9. Dubbed BlueFrag, it allowed attackers in possession of a device’s Bluetooth MAC address to remotely execute code when Bluetooth was enabled on said device. This in turn opened up opportunities for them to steal personal data or spread malware. Although a patch was made available in February of this year, there is never any guarantee that hackers will not discover new vulnerabilities in the Bluetooth protocol. In the summer of last year, Apple was also forced to patch the KNOB attack vulnerability after researchers discovered it was possible to snoop on communications between Bluetooth devices and even modify their content. According to a recent article in Wired, weaknesses in both operating systems could allow hackers to identify Covid-19-positive users of contact tracing apps or help advertisers track them.

Theoretically, it would also be possible to combine Bluetooth sniffing with CCTV or facial recognition technology to reveal the identities of app users who tested positive for COVID-19. A bad actor armed with a video camera could film passersby and root their phone to see all the Bluetooth signals picked up from those using the contact tracing application. When a user marked themselves as positive, the attacker would receive all the encryption keys from the app’s server and could match the infected person’s code with their image. Although such an act may seem unrealistically malicious, security experts warn that it is foolish to underestimate hackers’ propensity to capitalize on large numbers of people using Bluetooth-based applications.

The storage of such large quantities of personal data is also a concern for many information security professionals. A report published in April by researchers at Belgian university KU Leuven stated that the use of big data in contact tracing apps “appear[s] to expand the scope of traditional concerns about anonymity, as the data collected might be detailed enough to […] identify and track specific individuals.” While Apple and Google have proposed a decentralized system of data storage to help protect privacy (information is stored on users’ devices rather than in a central database), some governments are opting for a centralized approach instead. 

In the UK, the NHSX contact tracing app has been criticized for employing a central computer server to store data, with opponents saying it increases the likelihood of hackers or bad actors accessing and using personal information for malicious purposes. It would certainly not be the first time that attackers have successfully infiltrated apps gathering personal data with the 2017 MyHeritage hack setting a dangerous precedent. Scientists and researchers in the UK are so concerned about the possibility of increased state surveillance and data breaches that 200 professionals have put their signature to an open letter to the government, denouncing the use of digital applications for contact tracing.

Putting aside doubts over the efficacy of contact tracing apps, do the intended benefits of digital tracing outweigh the potential security risks of such a system? In a recent ZDNet article, Acronis COO and president Stanislav Protassov warned that app users would need to regularly update their devices’ firmware to ensure the patching of any vulnerabilities, as well as verifying the permissions requested by the app. The onus is also on app developers and governments to swiftly address weaknesses and ensure backend databases are secure. Furthermore, smartphone users would need to remain vigilant to the potential threat posed by spoofed apps developed by cyber threat agents. With the knowledge that no IoT device is ever truly safe, the question is whether countries can be justified in their decision to push unproven and potentially insecure applications onto their citizens where verified manual systems already exist.

At Soteria, we keep pace with all the latest evolutions in the digital threat landscape and offer a range of products designed to mitigate cybersecurity risks. We test network and endpoint security and provide the necessary solutions to keep your organization safe. We also offer a comprehensive cybersecurity awareness platform that teaches users to prevent, detect and deal with some of the most common threats to company and personal data. Contact us today to find out more.