Luke Potter, Senior Director of Cybersecurity at SureCloud, looks at the UK Government’s Track and Trace app from a cyber and privacy perspective to understand the concerns raised.
Please note, this blog was written prior to the British Government announcing the switch from the NHS app to using Apple and Google’s model on the 19th of June 2020.
As governments around the world work to respond to the challenges of the COVID-19 outbreak, technology firms globally have been developing new technology solutions, including digital contact tracing via mobile apps to help in the fight against the pandemic.
More than 30 countries are building tracing apps, and the UK is no different. Its tracing software – the NHS Covid-19 app – has been trialled on the Isle of Wight since May 7th and is expected to be rolled out to the rest of the UK later this month.
Countries such as South Korea have successfully employed digital contact tracing technology taking it from one of the worst hit countries outside of China, to having the outbreak effectively under control by using its three guiding principles: test, trace and contain. Yet the UK NHS app has already raised some security concerns and doubts over its effectiveness.
Back in May, Senior NHS sources revealed that the app had actually failed all of the tests required for inclusion in the NHS app library, including cyber security, performance and clinical safety. This was attributed to the fact that the app was in the early development stages. The source described the app as “a bit wobbly” but added that it was not a “big disaster.”
Even NHSX themselves aren’t exactly convinced. Giving evidence to parliament’s Joint Committee on Human Rights last week, the head of the unit developing the app warned of “unintended consequences.” Matthew Gould, chief executive of NHSX, said officials do not know “exactly how it will work.”
This rhetoric doesn’t seem to have gained the support of the general public. In fact, a recent survey of 1,000 U.K. citizens revealed that nearly half of the public surveyed about the NHSX COVID-19 tracing app do not trust the UK government to keep their information safe from hackers. And over a third of respondents are concerned that the app might allow the government to collect their data.
The problem is that for the app to be effective in containing the spread of COVID-19 after lockdown is eased, at least 60% of the UK public need to download it. Since downloading the app isn’t compulsory, the government needs to urgently address some of the main concerns surrounding the app to convince the population to part with their personal data.
The NHSX COVID-19 Track and Trace app uses a centralised database, rather than a decentralised app like in other countries. This central database will contain anonymised records of those reporting symptoms, as well as who their phone has come into contact with. Other countries, including Ireland, are using a decentralised model, where personal data is stored on devices rather than government databases.
Privacy campaign groups have raised concerns that this centralised database model could be extended to monitor individuals’ movements and contacts. It’s also impossible to ignore the fact that a large database containing the general public’s personal information will be a prime target for hackers with malicious intents.
In May, a security flaw in Qatar’s coronavirus contact-tracing app put the sensitive personal details of more than a million people at risk, according to an investigation by Amnesty International. Hackers gained access to highly sensitive personal information, including names, national ID, health status and location data of users.
In order to gain the trust and support of the public, the government needs to issue concrete assurances about the security of the data stored and how it will be used, for example by issuing a “sunset clause” agreeing to delete all data collected once the country returns to normal.
Please note: On the 19th June the UK Government announced they will be switching to the Google and Apple model.
The UK is thought to be the only country in the world, allowing people to self-report symptoms, rather than using COVID-19 test results. In other nations, such as Australia, positive tests are confirmed by officials before those who have come into contact with sufferers are alerted.
Self-diagnosis of symptoms opens up a wealth of security challenges since app users reporting symptoms maliciously are indistinguishable from legitimate users. Dr Michael Veale, a lecturer in digital rights and regulation at University College London, has said that the tracing app has nothing to stop individuals maliciously triggering notifications using its normal functionality.
A malicious user could, for example, deliberately put others into quarantine or report large areas by creating fake but realistic-looking proximity events for everyone in the area and then report themselves as sick, or a child could try to get a day off school by reporting symptoms from a parent’s phone to trigger a quarantine.
The only way to prevent malicious misuse of symptom reporting would be to introduce verification measures before an alert is triggered.
At the moment, there is no clear guidance from the NHS on where to download the app or what a legitimate alert looks like. The public is therefore likely to be faced with floods of emails with bogus links to convincing looking domains offering a fake app download.
This is more than just speculation. In India, cybersecurity experts found fake versions of the government’s contact tracing app, Aarogya Setu, carrying spyware capable of making phone calls, recording audio, sending texts, taking pictures and recording videos from the camera.
Several public health directors have called for all forms of communication from contact tracers to involve two-step verification to eradicate the risk of scammers gaining confidential information. Awareness campaigns which educate the general public about where to download the app and what a legitimate alert looks like would also greatly reduce the chances of scam apps and alerts being successful.
Finally, digital contact tracing apps operate using Bluetooth technology. Bluetooth has had several vulnerabilities in the past, including as recently as February, when a critical vulnerability named BlueFrag affected multiple Android and Apple iOS devices.
Bluetooth is less widely used in app technology, and developers might have less experience with Bluetooth compared to online platforms, potentially leading them to overlook certain elements that might result in a bug or vulnerability. To gain public trust, there is a need for government assurance that the app will be regularly tested for vulnerabilities and that patches will be swiftly released to plug potential holes.
Contact tracing technology is not new – it’s been around and has served as an effective way to contain public health pandemics, such as HIV, for decades. The COVID-19 pandemic is no exception, and other countries around the world have already proven the effectiveness of track and trace apps in the fight against the outbreak.
For the app to be successful in the UK, it needs to gain the support of the public. Before this can happen, government cybersecurity experts need to issue solid assurances that public data is safe, Bluetooth technology is secure, and clearly educate users about the app to prevent people accidentally downloading fake apps or being scammed by fake alerts.
Check out our fireside virtual conversation on how to ‘Secure Your Cyber Baseline For The New Normal’ with Ian Glover (CREST) and our Risk Advisory Practice Director.
Luke Potter oversees SureCloud Cybersecurity Solutions. He also manages our Secure Private Cloud. Luke is a recognized cybersecurity expert. He is a CHECK team leader, Tiger Scheme senior security tester, ISO 27001 lead auditor and Microsoft Certified enterprise administrator. Previously, Luke managed the IT team at a large UK insurance brokerage.
Luke, featured on BBC One’s The One Show on Wednesday 10th June, helping demonstrate just how easy it can be for scammers and criminals to make spoof calls pretending to be from the NHS.
SureCloud provides Gartner recognized GRC software and Cyber & Risk Advisory services. Whether buying products or services, your organization will benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products, enabling seamless integration of information, taking your risk programs to the next level.