Wednesday, May 20, 2020
Security flaws found in NHS contact-tracing app
It appears that the concerns of the Parliamentary joint committee on human rights regarding the data captured by the NHS Covid-19 contact-tracing app are well-founded. The BBC reports that wide-ranging security flaws have been flagged in the Covid-19 contact-tracing app being piloted in the Isle of Wight.
They say that security researchers have warned that the problems pose risks to users' privacy and could be abused to prevent contagion alerts being sent. The researchers suggest a fundamental rethink is required:
Specifically, they call for new legal protections to prevent officials using the data for purposes other than identifying those at risk of being infected, or holding on to it indefinitely.
In addition, they suggest the NHS considers shifting from its current "centralised" model - where contact-matching happens on a computer server - to a "decentralised" version - where the matching instead happens on people's phones.
"There can still be bugs and security vulnerabilities in either the decentralised or the centralised models," said Thinking Cybersecurity chief executive Dr Vanessa Teague.
"But the big difference is that a decentralised solution wouldn't have a central server with the recent face-to-face contacts of every infected person.
"So there's a much lower risk of that database being leaked or abused."
They add that the researchers detail seven different problems they found with the app.They include:
They say that security researchers have warned that the problems pose risks to users' privacy and could be abused to prevent contagion alerts being sent. The researchers suggest a fundamental rethink is required:
Specifically, they call for new legal protections to prevent officials using the data for purposes other than identifying those at risk of being infected, or holding on to it indefinitely.
In addition, they suggest the NHS considers shifting from its current "centralised" model - where contact-matching happens on a computer server - to a "decentralised" version - where the matching instead happens on people's phones.
"There can still be bugs and security vulnerabilities in either the decentralised or the centralised models," said Thinking Cybersecurity chief executive Dr Vanessa Teague.
"But the big difference is that a decentralised solution wouldn't have a central server with the recent face-to-face contacts of every infected person.
"So there's a much lower risk of that database being leaked or abused."
They add that the researchers detail seven different problems they found with the app.They include:
- weaknesses in the registration process that could allow attackers to steal encryption keys, which would allow them to prevent users being notified if a contact tested positive for Covid-19 and/or generate spoof transmissions to create logs of bogus contact events
- storing unencrypted data on handsets that could potentially be used by law enforcement agencies to determine when two or more people met
- generating a new random ID code for users once a day rather than once every 15 minutes as is the case in a rival model developed by Google and Apple. The longer gap theoretically makes it possible to determine if a user is having an affair with a work colleague or meeting someone after work, it is suggested.