Two cybersecurity researchers have identified seven security flaws in the UK government's COVID-19 contact-tracing app. The app is currently being trialed on the Isle of Wight before being rolled out to the rest of the UK population. The researchers recommend that the app switch from using a centralized approach, which pools user data in a central server, to a decentralized approach. Visit Business Insider's homepage for more stories.
The UK government's contact-tracing app has got a number of serious security flaws according to cybersecurity experts who analyzed its source code. A report by two cybersecurity experts, Dr Chris Culnane and Vanessa Teague, was published on Tuesday. They identified seven security risks around the app, which is currently being trialled on the Isle of Wight and is supposed to be rolled out to the rest of the UK in the next week or two. The way it works is once you download the app, your phone gets assigned a random number ID that changes every day. It then sends out Bluetooth signals, and if it recognises another phone with the app downloaded, it makes a note of that phones ID number in a log. If a user reports themselves as having symptoms, their phone sends a notification to every other phone it has saved in that log over the past two weeks. The vulnerabilities include one which could allow hackers to intercept notifications and either block them or send out bogus ones telling people they've come into contact with someone carrying COVID-19. The researchers also noted that unencrypted data stored on users' handsets could feasibly be accessed by law enforcement. Although the UK government has insisted the data would be used for nothing other than its COVID-19 response, a group of 177 cybersecurity experts have already called on it to introduce safeguards protecting the data from being repurposed for surveillance.
In building its app, the UK decided to reject the customized contact-tracing API (application program interface) put out by Apple and Google. This is because Apple and Google require anyone using their API to build a "decentralized" app, meaning all data processing would stay local to the users' handset. The UK decided to opt for a centralized approach, drawing user data into a central server so it could more easily analyze the data it pulls in. This has already thrown up data protection concerns, as well as worries that it may impede the functionality of the app on iPhones. In their report Culnane and Teague say a decentralized app would be better. "The huge advantage of the Google/Apple decentralized API is that there's no central database that retains information about every infected person's contacts," Teague told Business Insider. There is a possibility that a Google/Apple NHS app could emerge, as the Financial Times reported earlier this month the government was quietly working on a second app using the tech giants' API. They also highlight that while both the NHS and the Google/Apple API use rotating random ID codes to protect users' privacy, the NHS app only switches up the numbers once per day, while the Google/Apple API does so every 15 minutes. The UK vs. Silicon Valley Privacy researcher Samuel Woodhams told Business Insider the report shows the UK's decision to build a centralized app needs a "substantial rethink." "As the report shows, the current approach considerably increases the risk that sensitive data collected by the app will be exposed or manipulated. By only generating a random ID code once a day, the risks of identifying an individual are dramatically increased. This could have significant repercussions for users' privacy and lead to serious real-world consequences," Woodhams said. "Recent developments have once again shown that the UK's approach is lagging behind the more privacy-friendly and probably more effective approach taken by Apple and Google," he added. The report was shared with Britain's cybersecurity center NCSC prior to publication, and Teague said NCSC has already committed to fix some of the bugs identified, but others (like the 24 hour ID rotation) it had only committed to "review." NCSC director Ian Levy publicly thanked the researchers for their work in a blog post. "In future versions, the team are going to try to publish a summary of the backlog of issues, so people can see what we know about, but haven't had time to fix yet. The app is a work in progress, and future versions will have all these issues fixed," Levy writes. For the contact-tracing app to be effective, it needs to be adopted by roughly 56% of the UK's population, epidemiologists have told the NHS. The researchers note that to do this the public need to feel like they can trust the app. "The messaging around the app, and in particular suggestions of broadening the data collected, combined with insufficient legislative protections, a lack of siloing of the data, and no sunsetting of the data retention or usage, risk undermining the trust that has been earned," they conclude.SEE ALSO: The UK accidentally left secret plans for its COVID-19 contact-tracing app on an open Google Drive Join the conversation about this story » NOW WATCH: Why electric planes haven't taken off yet
More like this (3)
A Latvian civil servant on the Apple/Google contact tracing platform: why should they decide what we can do?
How the government came to scrap its contact-tracing app in favour of Apple and Google’sCoronavirus –...How the government came to scrap its contact-tracing app in favour of Apple and Google’sCoronavirus – latest updatesSee all our coronavirus coverageDesigned to be a key component of the test, track and trace programme to forge a way out of lockdown, the NHS Covid-19 app has been beset by problems from day one – despite repeated claims to the contrary.After a trial on the Isle of Wight at the start of May, the contact-tracing app was meant to be rolled out to the rest of England by the middle of the month. That soon slipped to some time in June. Then on Wednesday it emerged that we would have to wait until the winter. Now – after much behind-the-scenes scrambling, and head-scratching in Westminster – officials have decided to ditch the app entirely in its current form. Continue reading...
Government will switch to contact-tracing model preferred by tech giants in latest embarrassing U-turnCoronavirus – latest...Government will switch to contact-tracing model preferred by tech giants in latest embarrassing U-turnCoronavirus – latest updatesSee all our coronavirus coverageThe NHS has abandoned a near three month attempt to build a centralised coronavirus contact-tracing app and will instead switch to the model preferred by the technology firms Apple and Google.The embarrassing U-turn comes after officials concluded it was technically impossible to create an effective app that did not conform to the Google and Apple model, but that a straight switch to their model would not solve all the problems. Continue reading...