Numerous security breaches have been reported in the Covid-19 contact search application while flying on the Isle of Wight.
The security researchers involved warned that the problems posed risks to the privacy of users and could be abused to prevent the sending of contagion alerts.
The National Cyber Security Center (NCSC) of GCHQ told the BBC that it is already aware of most of the issues raised and is in the process of resolving them.
But the researchers suggest that more fundamental thinking is needed.
Specifically, they are calling for new legal protections to prevent officials from using the data for purposes other than identifying those at risk of being infected or keeping them indefinitely.
In addition, they suggest that the NHS plans to move from its current “centralized” model – where contact matching occurs on a computer server – to a “decentralized” version – where correspondence occurs instead on phones. people.
“There can always be bugs and security holes in decentralized or centralized models,” said Thinking Cybersecurity general manager Dr. Vanessa Teague.
“But the big difference is that a decentralized solution would not have a central server with recent face-to-face contacts for each infected person.
“So there is a much lower risk of this database being leaked or misused. “
Health Secretary Matt Hancock said on Monday that new law “is not necessary because data protection law will do the trick.”
And NHSX – the health service’s digital innovation unit – said using the centralized model would facilitate improvement of the app over time and trigger alerts based on people’s self-diagnosed symptoms rather only on medical test results alone.
The researchers detail seven different problems they found with the app.
- weaknesses in the registration process that could allow attackers to steal encryption keys, which could prevent users from being notified if a contact is positive for Covid-19 and / or generate fraudulent transmissions to create false contact event logs
- store unencrypted data on handsets that can be used by law enforcement to determine when two or more people have met
- generate a new random identification code for users once a day rather than once every 15 minutes as is the case in a rival model developed by Google and Apple. The longer gap theoretically allows you to determine if a user has an affair with a co-worker or meets someone after work, it is suggested
“Overall, the risks are varied,” Dr Chris Culnane, the report’s second author, told the BBC News.
“As far as registration issues are concerned, the risk is quite low as it would require an attack on a well-protected server, which we believe is not particularly likely.
“But the risk of unencrypted data is higher, because if someone had to have access to your phone, then they might be able to learn additional information because of what is stored there. “
NCSC technical director Ian Levy blogged thanking the two researchers for their work and promising to resolve the problems they had identified.
But he said it could take multiple versions of the app before all the issues are resolved.
“Everything that is reported to the team will be properly sorted (although it will take longer than normal),” he wrote.
An NCSC spokesperson said, “It was always hoped that measures such as publishing the code and explaining the decisions behind the application would generate constructive discussions with the security and privacy community.
“We look forward to continuing to work with security and cryptography researchers to make the application the best it can be. “
But Dr. Culnane said politicians also need to reconsider the issue.
“I am sure they will solve the technical problems,” he said.
“But there are wider problems regarding the lack of legislation protecting the use of this data [including the fact] there is no strict limit on when the data should be deleted.
“This contrasts with Australia, which has very strict limits on the deletion of its application data at the end of the crisis. “
Meanwhile, Harriet Harman, who chairs Parliament’s human rights committee, announced that she is seeking permission to introduce a private member’s bill to limit who could use the data collected by the app. and how and how to create a watchdog to deal with related public complaints.
“Personally, I would download the app myself, although I have concerns about the use of the data,” the Labor MP told BBC News.
“But the point of view of my commission was that this app should not [the government] is willing to put in place privacy protections. “