As more countries move along to develop contact tracing apps to track potential COVID infections between people, a question comes to mind – what does this mean for the average person? Will downloading the app sacrifice one’s privacy?
• How does these contact tracing app work?
• What will these apps be tracking?
• What are the potential security implications and privacy concerns for users who download these apps?
• What are some tips to follow?
Niels Schweisshelm, Technical Program Manager, HackerOne shares them all:
How does these contact tracing apps work?
Contact tracing apps allow users to upload Covid-19 test results. It is then possible to leverage Bluetooth to determine with whom you have been in contact with; these individuals will then be notified of potential exposure to Covid-19. Additionally you will be notified if you have been in recent contact with individuals who tested positive for Covid-19.
What will these apps be tracking?
Not only will these contact tracing apps track and store your location; they will also store PII such as names and phone numbers, as well as medical information. Last but not least these apps will track and store data about individuals you have been in contact with recently. These apps will cross-reference movement data from individuals with medical data to determine if you have been in contact with individuals that have tested positive for covid-19 and vice versa.
What are the potential security implications or privacy concerns for users who download these apps?
Data that will be used in contact tracing apps is immensely valuable for threat actors; having PII, location data and medical data belonging to an individual allows cyber criminals to set up elaborate spear phishing attacks that will be difficult to distinguish from legitimate medical information. Additionally governments storing and processing this data could use the data for different purposes; e.g. to verify if you have been in contact with interesting individuals or if you were in the vicinity of a crime scene around a certain time.
Are there any alternatives? Manual tracking devices perhaps?
There are alternatives currently out there such as Simmel. These non-centralised applications only allow local storage of sensitive medical and personal data until the user specifically enables the sharing functionality. However, these alternatives are based on Bluetooth; so any vulnerability in the Bluetooth protocol or it’s implementation could still enable attackers to potentially access the sensitive data stored on the device.
What are some advice to follow when using these apps?
Now is even more so the time to treat your mobile phone as you would treat a laptop or desktop PC. Always install the latest security patches, use secure pass codes to lock your device and use a device finder tool to locate and/or whip your phone after losing it. Also be careful which apps you install and what permissions you give those apps
