|Heavily downloaded, & built at speed in the middle of a pandemic, so would you be comfortable recommending to staff to download the new track-and-trace app, or does the cyber-risk outweigh the virus gain?
The NHS Covid-19 contact tracing app for England & Wales was downloaded over 12m times by the end of Sept. with the Health Secretary, Matt Hancock, claiming success as this made it the most quickly downloaded app in the UK ever.
Even at that kind of download level, it needs to do better if it is to work towards halting the spread of the virus. Issues include failed compatibility with older phones, police forces instructing officers not to install the app, & reports that some users received erroneous exposure notifications that were actually system checking messages from Apple & Google, according to the Department of Health & Social Care. These stories do not help.
The 2 big issues are privacy & security doubts.
The move to the Apple & Google decentralised model was a direct response to that privacy issue. Security remains as more than just a metaphor, & it is a genuine concern for many.
Safety in numbers
The most straightforward question – how secure is the NHS test & trace app in the expert opinion of cyber-security industry professionals?
Lookout ran an analysis of both the Android & iOS versions of the app & “found nothing alarming about the permissions or data transfer practices,” EMEA Technical Director, Tom Davidson, explained. “Having visibility into permissions & data handling practices of a mobile app is key for security teams that need to align with internal or external compliance requirements,” he comments.
N. Korean Regime
A US Govt. memo from Sept., jointly written by agencies including the US Treasury Dept. & the FBI, said the N. Korean regime had increased its financially motivated hacking efforts this year, after a pause in activity: “Since Feb. 2020, N. Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers & ATM cash outs.”
While it’s still “too early to tell how secure it is,” explained Morgan Wright, Chief Security Advisor at Sentinel One & a former US State Dept. special advisor, visibility is something it has going for it as the code is open source.
“That means it’s subject to review, analysis, & allows crowdsourcing to discover vulnerabilities,” Wright concluded.
Candid Wüest, VP of Cyber Protection Research at Acronis, had been looking at the public code repository on Github & observes, “from what I can see, the developers are fixing all identified problems.”
Ken Kolderup, CMO at the Bluetooth SIG, explained that he was excited to see Bluetooth technology used “in ways where transparency, as well as user consent, privacy, & security, are central to the design”.
That didn’t stop several security experts pointing to the threats.
Alex Archondakis, Managing Consultant for Web Application Security at Pentest People, comments “The main risks lie in a malicious actor finding a way to associate Bluetooth keys with the owner as they would be able to track interactions.”
Josh Neame, Technology Director at Blue Fort Security, who observes there are “certainly risks of Bluesnarfing, when a hacker pairs with your device without your knowledge & compromises your data”.
Neame admitted that as we rely upon Bluetooth for so many different things already, he’d be hesitant to say the NHS app had introduced that risk. People, in general, are poor at applying security updates & patches, & it’s people in general that will comprise the vast majority of the NHS app users.
“BlueFrag, for example, was patched in Feb. 2020 in Android,” Wüest described. This critical Bluetooth vulnerability impacted Android 8 & 9 users & enabled code execution. “If you have an unpatched device,”
Wüest continues, “an attacker nearby could easily take over your device & steal your personal data. Users need to update their devices’ firmware to help avoid this, but the danger of unpatched vulnerabilities remains.”
Wright notes, however, there’s a ‘minimalist approach’ to collecting personally identifiable information, & all that PII resides on the phone itself, according to the NHS.
QR eye for a smartphone
Wright said there remains an exploit risk, but not a very scalable attack vector, from the QR code part of the app: “It’s possible to produce a QR code that points to a malicious site, or enables the insertion of malware.”
David Critchley, Director of UK & Ireland at MobileIron, is also concerned about the QR code risk. “The security controls surrounding QR scanning, now a legal requirement for track & trace, remain unclear,” he outlined, “our latest data has shown that 2 thirds (66%) of consumers in the UK cannot tell if a QR code is malicious or not.”
Because the app is based on the Apple and Google created, & decentralised, exposure notification framework, with neither location data nor PII stored centrally, the risk is at least contained to the device itself.
Risk for Breaches
Trustonic CTO, Jason Hart explained, “this app does not increase your risk for breaches from what already exists by owning a mobile phone.” By installing the NHS app, users are not compounding or enhancing the risk of data leakage.
Simeon Quarrie, Founder & CEO at VIVIDA, says that as the app only gathers 1st names & the 1st half of a postcode, doesn’t track location via GPS, & Bluetooth proximity to other devices & QR locations are only stored for 21 days, “this data alone will probably not be of much use to a cyber-criminal.”
This is not equivalent to being risk-free. “The app itself is opening doors to other attack vectors,” Quarrie warned, “smishing is 1 example, I have received text messages asking me to download the app but have been sensible enough to ignore them.”
Regarding Dark Web cyber-crime forums for vulnerability & attack campaign data focussing on the NHS app. The news from research & threat intelligence experts is there is no evidence of malevolent chatter.
Morgan Wright did add that he “wouldn’t expect to see any detectable activity unless & until a significant source of valuable data is established.” It appears criminals regard it as a low-value opportunity. Matt Hancock can be reassured at least for now!
Rahim Jina, COO & Co-Founder of Edgescan, says there is “evidence & some investigative research” to suggest that “COVID-related domains are being snapped up, likely with the intention of using them in forthcoming phishing scams”.
According to Hart, this is why you have to start thinking like a cyber-criminal when it comes to assessing risk. “A potential angle for a threat actor is to conduct ‘smishing’ or phishing attacks on the British public, claiming to be the NHS app & that they found a positive result,” he comments, “prompting the user to click on a malicious link to lead them to a cloned app, or a fake NHS website.”
Fear & Paranoia
Such unsophisticated attacks can be highly successful when they use the fear & paranoia of a global pandemic.
Okta researched more than 2,000 UK consumers into their thoughts about contact tracing app data, & found that 60% were comfortable providing location data, if it helped stem the disease’s spread. “From our findings,” Okta Chief Security Officer Ben King says, “Brits are more willing than their European counterparts to do this.” This trust mustn’t be abused, or that willingness could just as quickly evaporate.
“Risk versus benefit is always a trade-off,” Kings suggested, “there is never Zero risk. This particular implementation is well researched, understood, & documented.” That conclusion is typical of the overall feeling of the cyber-security industry.
Good enough – getting better
According to Peter Yapp, a former Deputy Director of the National Cyber Security Centre & a partner at specialist cyber law firm Schillings.
“The v. best security minds have been working on this app since the summer & have concluded that the app is good enough for release. The importance of its release, uptake & use far outweighs any lingering concerns over security which I am confident will be addressed over the coming weeks & months,” Yapp says,
“Details have been published on Github & the National Cyber Security Centre is actively encouraging security researchers to report any security issues (anonymously if needed) to their Hacker One Vulnerability Disclosure Programme.”
Staff Key Advice:-
How is the NHS Covid-19 app cyber-secure?
Share This Post
More To Explore
The Instagram photo-sharing app retained people’s photos & private direct messages on its servers even after users removed them. Instagram kept copies of deleted pictures
UK SME’s are said to be at risk of 65,000 cyber-security attacks every day, & circa 4,500 of these are successful, but the figure could
Hospitals nationwide in the US are this week dealing with the fallout from an outage, connected to a potential ransomware attack against one of the