Security Concerns over Contact Tracing Apps

Oleg Ilushin, Security Researcher at Check Point and Jonathan Shimonovich, Group Manager at Check Point discuss concerns around the implementation of contact tracing apps, citing possibilities of device traceability, personal data compromise, app traffic interception, and fake health reports.

When an individual is found to be infected with the coronavirus, the race is on to find those who they have come into contact with, as these people could be carriers or even be infected. This has led to hundreds of coronavirus contact-tracing mobile applications being developed worldwide and backed by various governments and national health authorities, as well as guidelines by the EU and special protocols developed by the two major smartphone OS vendors Apple & Google. In some places, the usage of such applications has been made mandatory for people who want to gain access into public spaces.

Some are concerned that contact-tracing apps are surveillance tools that invade individual privacy and disclose sensitive information. Therefore, any such app and tracing system must maintain a delicate balance between privacy and security, since poor implementation of security standards may put users’ data at risk.

 

Which countries have adopted contact tracing apps?

When we look at the adoption rates of coronavirus contact tracing applications in different countries, India’s Aarogya Setu leads the way with more than 100 million downloads from Google Play Store. This is largely because public and private workers in India are required to use it. 

Gerak Malaysia has more than a million downloads from Google Play Store, while Singapore’s TraceTogether and Australia’s COVIDSafe have over 500,000 downloads each respectively. 

In Europe, the UK’s NHS COVID-19 is yet to be deployed across the country but is currently being piloted on the Isle of Wight. It currently has more than 50,000 downloads. Austria’s Stopp Corona has been downloaded more than 100,000 times, as has Norway’s Smittestopp.

Germany and France have yet to release an application, but there are plans to do so soon. 

How do contact tracing apps work?

While the technology and algorithms differ between applications, the promise of most coronavirus contact tracing apps is the same – carrying the ability to detect close contact between individuals (i.e. within several meters) over a period of time. The parameters differ from one application to another, but as a guideline, the time interval is about 15 minutes. Proximity, in the majority of applications, is measured using either Bluetooth or GPS technology. In the case of Bluetooth, each device periodically broadcasts packets with unique ID, allowing other devices to monitor them. In the case of GPS, the exact location of the user is logged at all times.

When a person tests positive for coronavirus, they can use the application to advertise either their locations or the Bluetooth identifiers from registered contacts. The application then notifies users that have appeared to be in close proximity with the infected person, along with the local health authority.

Of course, if such a system is to be effective in breaking infection chains, the application must have high adoption rates. Due to the sensitive nature of data used by contact tracing apps, naturally, they raise many questions around the privacy of individuals’ data that the app may access, and the potential abuse of such systems.

This comes down to questions on what data is collected, how it is stored and how it is distributed. For example, is the data encrypted? Is there a proper authorization/verification process to protect against abuse? Is user anonymity preserved given that personal identifiers such as phone number, name and IDs are being collected?  Another aspect is user consent – does the user submit their data voluntarily, or is the data collected and uploaded without the user’s knowledge? Let’s look a little closer at how different applications work to try and answer these questions.

 

Centralized approach

Applications can be classified into two main groups: those using a centralized approach and those using a decentralized approach.  Most of the currently deployed applications are built on the centralized approach including UK’s NHS COVID-19, Singapore’s TraceTogether, and Australia’s COVIDSafe.  With a centralized approach, the contact events log is uploaded from the device to a central server, and only processed at the central server.  This gives the authorities more power to analyze contact data and get more insight on the spread of the virus, but it also enables them to access private information on the mass population such as the locations of individuals, or who met whom and when.

 

Decentralized approach

This is a more privacy-centric approach, meaning that the contact events log never leaves the device, and only minimal information is uploaded to the central server.  The application periodically downloads keys of positive diagnosed users, and matches them against contact logs stored on the device.

 

User Anonymity

Another important point in preserving privacy is whether an application that is running on a device can be associated with the real user. In order to preserve user anonymity, no personal identifiers (phone number, name, IDs etc) should be associated with the application at any time. This is achieved by using cryptographic keys that change frequently and serve as user identifiers transmitted over the air (via Bluetooth or Internet connections).  Usually, an application receives a one-time random unique key during installation or registration, and that key is used to derive rotating cryptographic identifiers that are broadcasted over Bluetooth, and uploaded to servers.  It is important to stress, however, that while preserving privacy is crucial, so is the reliability of the application. To emphasise this point, let’s consider the following common use case of contact tracing applications.

One of the features of contact tracing applications is that a user may submit a diagnosis report, and in many cases, there is a self-diagnosis questionnaire where the user fills in the symptoms they are experiencing as well as other information.  When a user submits such a report, some applications do not perform any verification, while others enforce some kind of validation by requiring a phone number to send a verification code via SMS. While verification by SMS de-anonymizes users, it protects against fake reports. But without verification, the whole system can be undermined by multiple fake reports, causing fake alerts and nationwide panic.

 

What are the security concerns surrounding contact tracing apps?

Security researchers at Check Point are closely examining contact tracing apps and have identified four main concerns regarding their implementation which need to be addressed by developers of the applications.

When Bluetooth technology is used for contact tracing, devices frequently broadcast packets over the air that contain unique IDs to facilitate identification of contact with other devices. However, if not implemented correctly, hackers can correlate devices to their respective identification packets, which then allows them to trace a person’s device.

There is also a risk that personal data can be compromised. Naturally, applications store contact logs, encryption keys and other sensitive data on devices. Sensitive data should be encrypted and stored in the application sandbox and not on shared locations. Even within the sandbox, gaining root privileges or physical access to the device, could compromise the data, more so if such sensitive information as GPS locations are stored. GPS can give away sensitive information, revealing users’ travels and locations over previous few days or weeks.

Users can be susceptible to “man-in-the-middle” attacks and the interception of the application’s traffic if all communications with the application backend server are not properly encrypted.

Without proper authorization in place when information is submitted to the servers, it could be possible for scammers to flood the servers with fake health reports, undermining the whole system.

 

How can people stay protected whilst users contact tracing apps?

At Check Point, we are continuing to research contact tracing applications and frameworks, regularly publishing new findings to keep users safe.

As multiple fake apps have already been detected during the pandemic, our recommendation for end users is to only install contact-tracing COVID-19 applications from official app stores, since they only allow authorized government agencies to publish such apps. 

In addition, we recommend users to download and install a mobile security solution to scan applications and protect the device against malware, as well as verify that the device has not been compromised.

 

It looks like coronavirus contact tracing applications are here to stay. However, in order for them to be successful and effectively control COVID-19, it is essential that contact tracing apps maintain a delicate balance between privacy and security so users have full trust that their privacy is being preserved and their data is protected from misuse. 

Given the abundance of frameworks and protocols that have prioritized privacy and security, and the fact that many official applications have their sources published, it looks like things are going in the right direction. 

With the recent release of the Google|Apple “Notification Framework”, we expect more applications based on this framework to be released, as well as some existing applications shifting to this approach.

However, it is still up to the developers of the applications to comply with standards by implementing them in a secure manner. We strongly recommend government agencies to rely on sound protocols such as those mentioned above and offer open source for their apps in order to increase user confidence and acceptance.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.