For those concerned with tracking their health and the health of those around them during the COVID-19 pandemic, many states sponsor contact tracing apps for mobile devices. The idea is to use the phone’s short range wireless capability, called Bluetooth, to communicate with other devices that are in the same proximity. The devices that are close enough to communicate will exchange information about their phones.
The idea is, when someone finds they are positive, they update their information in the app. The data gets uploaded to the government database. The application alerts all of the devices that were in contact with the one who tested positive, warning those contacted to get tested.
The idea sounds great, but are there any drawbacks? The short answer is: There are plenty of drawbacks! The concept and implementation are fraught with vulnerabilities.
Just recently the Pennsylvania Department of Health announced a breach of personal health information of 72,000 people who were using the state’s contact tracing app. Information that was breached included: names, phone numbers, emails, age, sexual orientation, and COVID diagnosis. Hackers can use this information for social engineering attacks, as well as hacking into the victims’ accounts.
The state was using a third party company, Insight Global, to manage the contact tracing. Employees of Insight Global were sharing data with one another through their unsecure Google accounts instead of the company- provided secure systems. Here’s one drawback: Once you’ve provided your information, you do not know who is handling it, how they are handling it, and what they are going to do with that information.
Why would the employees need to share information over Google? Why would the company let the data out of its secure environment? What is the government doing with the information? Are they linking this information with any other databases? How long are they storing the data and where? These are all questions that go unanswered when signing up for the app.
Currently there are literally hundreds of different contact tracing apps various organizations around the country are using. There is no standard, and there are no checks and balances on the security of the individual applications. A recent review by researchers showed 72% of the apps had insecure encryption and 75% of the apps included trackers. Additionally, 55% of the apps stored sensitive information in clear text (not encrypted). These are serious security issues.
For the Android applications, most of the apps store the tracing app data in a common log file. The log files are then uploaded to the server by the app. The problem with this is that any pre-loaded application on the phone has access to that log file and can upload all that information. They could pull up the data either by accident or on purpose. Either way, a breach has occurred, and you are exposed.
The next problem has to do with the fact that your phone’s Bluetooth capability is interacting with any and all other Bluetooth devices it comes near. They call this exchanging “rolling proximity identifiers.” Your phone is basically syncing up, or almost pairing, with any strange device in town. Not only are you now wide open to every Bluetooth vulnerability, but you are exposing your data to any hackers who may integrate these apps with malware to scrape your data.
To quote Professor Tom, “That is absolutely terrifying.” We recommend turning off your Bluetooth when it is not actively in use, but with this app, it is not possible to turn off the Bluetooth function.
If given the chance to download and use a contact tracing application, weigh your unknown COVID risk with the known high risk of exposing your personal and health information.
