The risks that threaten the success of track and trace apps

More than two months on from the start of the lockdown, there are signs of strain. As spring turns to summer and the heat begins to rise, thoughts have turned to going back outside.

Governments also want people to reclaim some small semblance of their former lives. Not least to get the economy moving again. But they, like individual citizens, know that the balance has to be right. The next phase of the pandemic has to be managed carefully to avoid another spike in the level of infection.

Many analysts see track and trace apps as a key component in achieving this goal. Politicians across the globe are putting their faith in them. But for these apps to work well, citizens also have to trust them.

Winning this trust could come to define the next stage of the pandemic. Because amidst a lingering air of uncertainty, a different kind of threat is lurking.

This one looks to exploit the security weaknesses of the track and trace apps that promise to bring us one step closer to the life we knew before.

Welcome to phase two

We spend so much time on our phones already that using them to navigate our way out of the pandemic makes quite a lot of sense when you think about it. Sure, we’ll have to make some privacy sacrifices along the way. But we already do that with all the other apps we use. Right?

Well, like we said in our previous piece on track and trace apps, governments have to work a bit harder to earn our trust. Rightly or wrongly, we’re often more sceptical about their intentions.

As David Mattin says, we accept the privacy trade-offs that brands promise us and have done for years.

Instagram distracts and entertains us. Amazon offers us convenience. The privacy trade-offs from governments around the world tends to be a tougher sell.

Their pitch to get you to download their track and trace apps goes something like this:

Sacrifice a little bit of your privacy so we can regain some of the freedoms we’ve lost.

How much privacy do you have to sacrifice? Well, that seems to depend on the system governments choose for their track and trace apps. In an interesting - if not slightly unsettling - development, Google and Facebook are dictating the terms. They’re telling governments how their apps should work. The tech giants’ preference is for a decentralized model. And one of the reasons for that is the theory that it makes it harder for hackers to track individual users.

But not every government agrees. Take the UK, for example. NHSX, who are building the UK’s track and trace apps, favor a more centralized model.

With this strategy, anonymized data for those who declare virus symptoms would be sent back to a central database. There’s no such database under the Google-Facebook model. But by having one, the UK government feels it would be able to keep some measure of control over its own app and data.

The UK approach does worry some analysts, though. They think such a system might lead to other surveillance measures being added over time. But while it’s true that a central database might make incursions by bad actors more likely, there’s potential for harmful attacks with both models.

This risk is heightened by the current climate of uncertainty. People are more trusting right now. And that means they’re more likely to open an email or SMS message they think is from an authoritative source.

But what if that message isn’t from who they think it is?

The threats facing covid-19 track and trace apps

The last few months have seen people relying on government guidance more than at any other time this century.

Bad actors are aware of this reality. They know that people are vulnerable at the moment. They know that many are desperate to return to how things were a few months ago.

And this knowledge has given them an opportunity. Earlier on in the pandemic, Google reported that they were blocking 18 million phishing emails each day related to Covid-19.

When track and trace apps are released across the globe, people will be invited to download them. But Google’s revelation about the growth in phishing emails hints at a potential problem. What if people receive a fake email from bad actors pretending to be a legitimate government body?

Phishing emails and texts are pretty sophisticated these days. Even in normal times it can often be difficult for people to tell the difference between the real deal and a fake. Never mind when people are already more anxious than usual.

In a phishing email related to a covid-19 tracking app, the recipient would be presented with a web page asking them for their personal details. More details than they’d need to provide for the actual app. Bad actors then collect this sensitive information and can use it for another attack in the future.

Hackers might also try to release fake track and trace apps in the hope that people download them by mistake. They would include a link to download them in the aforementioned bogus email or text message.

Simon Chandler, writing in Forbes, is one of many analysts predicting that SMS could become the go-to attack vector for bad actors. SMS phishing, or smishing, is on the rise. People are more trusting of messages that arrive at their phone, after all. So they’re more likely to open them.

There are also concerns about the potential dangers of using bluetooth as the main measurement gauge for track and trace apps. That’s because signals can be hijacked by hackers carrying out man-in-the middle attacks.

But not all the threats facing covid-19 track and trace apps target end user data. As we’ve said before, some hackers just want to add to the chaos by tampering with the apps. That could be changing someone’s status from green to red on China’s colour coded app. Or it could be a so-called “drive by” attack. That’s where someone beacons out as an infected person, forcing those they come into contact with to self isolate.

Analysts are reporting that for the apps to work, around 60% of the population will need to download them. But if attacks like the ones we’ve listed above were to happen, there would be a negative impact on people wanting to download them.

So, what can we do to reduce the risks?

Physical and digital vigilance

Most people are about as vigilant as they’ve ever been right now. They’re washing their hands more. They’re keeping their distance from others. They’re wearing face masks.

But people often let their guard down when they’re using their phones because it's a device they associate with their friends and family.

It might be that to keep bad actors at bay, people will have to become equally vigilant in digital spaces from now on as they are being in physical ones.

In defence of those designing and creating the track and trace apps, many are being as transparent as possible. Ian Levy, the Technical Director at the National CyberSecurity Center is leading the creation of the UK’s app. And as part of his role, he has been sharing updates and learnings as part of a regular blog.

He’s even acknowledged some weaknesses and risks in a recent post. This level of transparency will help to keep citizens as informed as possible in the next few months. It will also help to build trust with them.

But could government transparency go even further?

The Australian Federal Government is considering releasing the source code of its track and trace app. Releasing the source code builds trust too as people can check there’s no added surveillance that doesn’t need to be there. And it also involves citizens in the process by asking them to help improve the app over time.

Finally, governments need to make sure that the apps themselves come with robust protection. One of the weaknesses noted by Levy in his blog was related to encryption. He admitted there was a chance a bad actor could break in and access the proximity log data.

The UK app that is being tested on the Isle of Wight is a beta version. And as such the hope is that issues like this will be ironed out before a nationwide rollout. But governments have to get the balance right. Sure, they want to get the app to the public as soon as possible, but first they have to make sure that bad actors can’t access the app’s sensitive code and logic.

There are many risks threatening the success of track and trace apps. That said, a combination of all of us being vigilant, governments being transparent, and robust app protection being implemented can stop these risks.

Then we’ll all be in a better position to get closer to the life we left behind back in March.