As Predicted – NHS Track and Trace Leaves Personal Data Vulnerable
10-05-2021 | By Robin Mitchell
Recently, an ex GCHQ employee warned the public against using public Wi-Fi networks with the NHS track and trace app. So how does track and trace work, what problems have been discovered with the technology, and why is it a bad idea?
How does track and trace work?
Trying to stop the spread of COVID around the world has been a challenge for all nations. Some nations, such as New Zealand, have been privileged with being an island nation that can completely shut their borders. Other nations, such as the UK, are not as fortunate with a much larger population and increased importance worldwide.
The use of lockdowns has helped to reduce the spread of the virus. Still, no amount of lockdowns will prevent the virus from eventually reaching every single individual in a population. An alternative to lockdown is using a tracking system that can determine which individuals in a population have been in close contact and have those individuals self-isolate if either is found to carry the COVID-19 virus.
This idea has gained popularity around the world, and the result has been many governments issuing track and trace apps to their populations. Smartphones make the ideal device to run such tracking systems as they are regularly carried by the public, contain a wide range of peripherals to enable tracking systems, and generally have an internet connection to submit data.
A basic tracking app works by sending out a Bluetooth message containing a unique ID, and any nearby device that detects this message will respond to that message with its own unique ID. Both devices store each other’s unique ID, and this can be either stored locally on the phone (decentralised), or submitted to a central server (centralised).
If any user on the network becomes infected with COVID, they can inform their app that they are ill, and this will send out a public message to all devices that their unique ID is infected. All devices check this ID with the IDs they have stored, and if a match is found, the device tells the user to self-isolate.
Vulnerabilities Found with NHS Track and Trace
Recently, Peter Yapp (former deputy director GCHQ National Cyber Security Centre), made a statement published by The Telegraph that users of the NHS track and trace app should refrain from using public Wi-Fi networks, especially when abroad. According to Peter Yapp, the use of public networks can leave devices vulnerable to man-in-the-middle attacks as well as spoofing. A hacker could create a public Wi-Fi that takes the appearance of an authentic network, but can either record all data going through it, or pretend to host services (such as spoofing an NHS server).
If an attacker can get login details from apps such as the NHS track and trace, not only can the attackers obtain confidential information on the user, but use the unique ID to determine where the user has been. Furthermore, recognising that a user is using a track and trace app can lead to a social engineering attack whereby the hacker pretends to be an NHS employee and informs the user that they may be infected (this could enable the hacker to convince the user for personal details).
However, the trouble with such track and trace apps doesn’t stop there, another report recently demonstrated that the technology used by the NHS (developed by Google), has a vulnerability. Specifically, exposure notifications and data is stored on the devices system log which, in theory, should not be accessible to standard apps. However, it turns out that many pre-installed apps have elevated permissions, and these apps are provided by Samsung, Huawei, and other mobile providers.
The elevated permissions allow these apps to access the system log, and thereby accessing potentially private data including MAC address, device name, advertising ID, and location. To make matters worse, it is currently unknown if other apps (such as Facebook) can access this data. As a result, engineers are trying to identify how to fix the situation.
Why is track and tracing a bad idea?
One topic that has repeatedly been in the news for the past year is the importance of security and privacy. Electronics has undergone major changes thanks to the ever-growing number of applications for electronics such as IoT and smart homes. However, the capability of these devices continues to grow, and the data they can store is becoming evermore private in nature.
The increase in private data collection and abuse could see pushback from both those in the industry and consumers who want to have more control over their data. For example, users should choose if an app can access location data or not regardless of whether the app requires it.
The use of track and tracing systems goes completely against the concept of user privacy, and while some claim the use of unique IDs that are not linked to personal details protects users, this is far from the truth. Even if it is just meaningless numbers and characters, a unique ID is still linked to a device that is linked to a user. For example, a hacker sitting on a bus who only sees one other passenger will instantly know their unique ID when the two devices exchange IDs. A quick photo of the users face will allow the hacker to search the internet for their social media accounts, and once found, the ID is linked to a person. From there, the hacker can follow the unique ID to track the user’s movements.
Overall, devices that track users are prone to abuse from both government and undesirables, and trying to encourage users to use such apps without providing full context regarding security is dangerous.
Read More