Privacy advocates are urging developers to proceed with caution as they use technology released by Apple and Google to build COVID-19 contact-tracing apps — and are warning against the potential for cybercriminal use.
On the latter point, the system is meant to help people know if they have come into contact with someone with the novel coronavirus. But the Electronic Frontier Foundation (EFF) warned that as it stands now, there’s no way to verify that the device sending the contact-tracing information out is actually the one that generated it. Thus, malicious actors could potentially harvest the data over the air and then rebroadcast it, undermining the system entirely, researchers said.
Threatpost has reached out to Apple and Google for comment on the security concerns and will update this post with any response.
EFF also reiterated its privacy concerns, and said that to protect the integrity of people using the apps, the program must “sunset” once the COVID-19 crisis is over, lest the technology be used to infringe upon personal privacy going forward without just cause.
“The apps built on top of Apple and Google’s new system will not be a ‘magic bullet’ techno-solution to the current state of shelter-in-place,” EFF staff technologist Bennet Cyphers and director of research Gennie Gebhart said, in a post on Tuesday on the organization’s blog. “Their effectiveness will rely on numerous tradeoffs and sufficient trust for widespread public adoption. Insufficient privacy protections will reduce that trust and thus undermine the apps’ efficacy.”
Apple and Google’s Contact-Tracing System
The EFF’s advice comes on the heels of an unprecedented step by Apple and Google to team up so that developers can build contact-tracing apps that will work across both platforms.
The plan hinges on the use of decentralized Bluetooth technology in smartphones. Any Android or iOS user who has opted in, is assigned an anonymous identifier beacon, which will be transmitted to other nearby devices via Bluetooth. This is similar to a Bluetooth signal tracing technique used by Singapore in a coronavirus tracking app called TraceTogether, rolled out in March.
When two people who have opted into the contact tracing are in close contact for a certain period of time, their phones will exchange their anonymous identifier beacons, otherwise rolling proximity identifiers (RPIDs). If one of the two is later diagnosed with the coronavirus, that infected person can enter the test result into an app, such as a compatible app from a public health authority.
Then, the infected person can consent to uploading the last 14 days of his or her broadcast beacons to the cloud. Any other person who has been in close proximity to someone infected will then be notified via the phone that an exposure to someone who has tested positive for coronavirus took place.
Security and Privacy Worries
A top security issue at this point, according to the EFF, is that there is currently no way to verify that the device sending an RPID is actually the one that generated it, so trolls could collect RPIDs from others and rebroadcast them as their own.
“Imagine a network of Bluetooth beacons set up on busy street corners that rebroadcast all the RPIDs they observe,” Cypher and Gebhart wrote. “Anyone who passes by a ‘bad’ beacon would log the RPIDs of everyone else who was near any one of the beacons. This would lead to a lot of false positives, which might undermine public trust in proximity-tracing apps—or worse, in the public-health system as a whole.”
Another concern about the proximity-tracking system proposed by Apple and Google is that it “leaves open the possibility that the contacts of an infected person will figure out which of the people they encountered is infected.” This poses a security risk, Cyphers and Gebhart said.
“Taken to an extreme, bad actors could collect RPIDs en masse, connect them to identities using face recognition or other tech, and create a database of who’s infected,” they wrote.
The plan to have infected users publicly share their once-per-day diagnosis keys – instead of just their every-few-minute RPIDs – also could expose people to what are called linkage attacks, according to the EFF.
“A well-resourced adversary could collect RPIDs from many different places at once by setting up static Bluetooth beacons in public places, or by convincing thousands of users to install an app,” according to the post. “With just the RPIDs, the tracker has no way of linking its observations together…But once a user uploads their daily diagnosis keys to the public registry, the tracker can use them to link together all of that person’s RPIDs from a single day.”
Linking together multiple RPID pings could expose users’ daily routines, such as where they live and work, leaving this information open to exploitation, Cyphers and Gebhart wrote.
To avoid some of these security issues, EFF advised developers to respect the protocol on which they’re building and not try to centralize the decentralized model that Apple and Google have presented – which keeps users’ data on their devices. This could expose people to more risk, researchers said.
“Also, developers shouldn’t share any data over the internet beyond what is absolutely necessary: Just uploading diagnosis keys when an infected user chooses to do so,” they wrote.
Developers also should exercise transparency with their users about what data the app is collecting, and how to stop it if users so wish, allow them to access the list of RPIDs they’ve received, and provide deletion capability for that contact history, Cyper and Gebhart wrote.
“The whole system depends on trust,” they said. “If users don’t trust that an app is working in their best interests, they will not use it. So developers need to be as transparent as possible about how their apps work and what risks are involved.”
The EFF is not alone in its concerns.
“The COVID-19 contact tracing applications are made with the best intentions during an unprecedented time, but like most applications that collect users’ geographic locations and PII, they have the potential to be manipulated into malicious tracking devices,” Erez Yalon, director of security research at Checkmarx, said via email. “While speed is critical in rolling out these tracing applications, a quick-to-market process might lower the focus on security and privacy, creating more issues than solutions for end users.”
He added, “It’s imperative that before these applications are rolled out, the design will be security-centric involving threat modeling methodologies and code reviews that are conducted either manually by professionals or automatically by application security testing and software composition analysis tools. Post-release, developers must constantly test the applications for security vulnerabilities and be on high alert to deploy patches as needed to safeguard users. Given the potential data that is monitored by these applications, they’re likely to be front and center on adversaries’ target lists.”
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.