Bangalore, April 23 2020: The Indian government is aggressively promoting its Covid-19 tracking app, Aarogya Setu. The Singapore government is extending its circuit breaker for another month, ending on June 1st, instead of May 4th as originally planned.
Both are Bluetooth enabled contact tracing applications developed by the respective governments.
Here is a link to our earlier story reporting on the record breaking downloads of Aarogy Setu as well as the concerns expressed by the Bangalore-headquartered Internet Freedom Foundation .
Here is a link to our story reporting on similar apps in South East Asia
What are the privacy and security concerns when it comes to Bluetooth enabled apps like this? What should people keep in mind when using these tracing apps?
Niels Schweisshelm, Technical Program Manager, HackerOne
The entire attack surface of these contact tracing applications has to be properly investigated. This should include static source code reviews as well as dynamic application testing to discover any vulnerabilities in e.g. the Web API’s. Ideally this would be done by multiple parties to ensure a baseline level of security using a crowd-sourced approach.
The potential privacy concerns surrounding these contact tracing solutions should remind governments developing them that the security community will scrutinise these apps more than any app in recent years.
Android recently released a patch for a critical vulnerability related to the implementation of the BT protocol. This vulnerability allowed an attacker to remotely take over specific Android devices without any required user interaction from the victim (Sweyntooth,CVE-2020-0022). This vulnerability was responsibly disclosed to the vendors and therefore not exploited by malicious threat actors. This does however demonstrate that the protocol and its implementation used by these contact tracing apps up until recently suffered from a critical vulnerability.
Joshua Berry, Associate Principal Security Consultant at Synopsys Software Integrity Group
Contact tracing applications use Bluetooth Low Energy (BLE) advertisements to send and collect messages to identify contacts made with other users. In general, the reception of messages can present an opportunity for an attacker to send malformed data that could be mishandled by devices and applications. This is one way that a device could be compromised. However, in the case of a contact tracking app, the message content sent to devices over BLE contains data that is intended to be passively collected and stored by the mobile application. A mobile application that only performs this basic functionality would not alone present sufficient functionality for an attacker to be able to exploit to gain control over a mobile device. An attacker could attempt to overload a user's device with BLE messages that appear to the mobile device as sufficiently valid to store which could cause the application to not function as desired or to later receive false positive contact notifications.
The larger concern that I have regarding the use of such applications is with regard to privacy. If someone does not feel comfortable with a positive diagnosis being known publicly, they should understand that these applications could expose some details about when and where they have been in the recent past with other users of the system. Even if a contact tracing application does not collect and share GPS location data, this data could be shared with other people as part of the contact tracing process. If governments would like for people to opt into such applications, they should address these concerns. They should consider making it clear what is collected, where it is stored, and use mobile application features to enforce these limits. For example, if GPS location is optional and a user chooses to opt out of collecting or sharing these details, the application should not require access to the mobile platform's location services.
Samantha Isabelle Beaumont, Senior Security Consultant, Synopsys Software Integrity Group
Tracing applications that allow attackers to access a user’s Bluetooth also allows them to fully read all Bluetooth communications. This includes items in the user’s car, music they listen to, household IoT devices, and more. Users can protect themselves by limiting the number of applications they download, by limiting the number of Bluetooth items they pair, by limiting the number of Bluetooth items they keep as whitelisted, known devices, and by limiting the amount of information they are transferring over mechanisms such as Bluetooth.
When it comes to downloading and using contact tracing apps like these, here are some of the questions users should ask:
- What level of access are they requesting?
- What are they tracing?
- For what reason?
- Where are they storing the data?
- What data will they use for third-party sales?
- How long would they keep the data stored?