Researchers flag concern around implementation of contact tracing
apps, citing possibilities of device traceability, personal data compromise,
app traffic interception, and fake health reports
· GPS can
give away sensitive information, revealing users’ travels and locations over
previous few days or weeks
· Bluetooth
Low Energy (BLE) can be used to track a person’s device
· In order
to preserve user anonymity, no personal identifiers (phone number, name, IDs
etc) should be associated with the application at any time
Security researchers at Check Point are
closely examining contact tracing apps. After initial review, they have flagged
a number of concerns over how contact tracing applications are implemented.
Researchers outlined their concerns in four:
1. Devices
can be traced. As some contact tracing applications rely on Bluetooth
Low Energy (BLE), devices broadcast handshake packets that facilitate
identification of contact with other devices. If not implemented correctly,
hackers can trace a person’s device by correlating devices and their respective
identification packets.
2. Personal data can be
compromised. Naturally, applications store contact logs, encryption
keys and other sensitive data on devices. Sensitive data should be encrypted
and stored in the application sandbox and not on shared locations. Even within
the sandbox, gaining root privileges or physical access to the device, could
compromise the data, more so if such sensitive information as GPS locations are
stored.
3. Interception of an
application’s traffic. Users can be susceptible to “man-in-the-middle”
attacks and the interception of the application's traffic if all communications
with the application backend server are not properly encrypted.
4. Flooding of fake health
reports possible. Researchers say it is important that contact applications
perform authentication when information is submitted to its servers, such as
when a user posts their diagnosis and contact logs. Without proper
authorization in place, it could be possible to flood the servers with fake health
reports, undermining the reliability of the whole system.
Check
Point will continue researching contact tracing applications and their
frameworks.
How to Stay Protected:
1.Download
from official stores only. Install contact-tracing COVID-19
applications from official app stores, since they only allow authorized
government agencies to publish such apps.
2.Use
mobile security solutions. Download and install a mobile security
solution to scan applications and protect the device against malware, as well
as verify that the device has not been compromised.
Quote: Jonathan Shimonovich, Manager of Mobile Research:
“The
jury is still out on how safe contact tracing apps are. After initial review,
we have some serious concerns. Contact tracing apps must maintain a delicate
balance between privacy and security, since poor implementation of security
standards may put users’ data at risk. This comes down to questions on what
data is collected, how it is stored and, ultimately how it is distributed.”