Top ten NHSX COVID-19 contract tracing app concerns
The government’s anticipated NHSX app for coronavirus tracing has failed crucial tests and is not yet safe enough to be rolled out across the UK, according to reports. It is understood the system has failed all tests needed in order for it to be included in the NHS Apps Library, including cyber security tests.
The NHSX app is being trialled across households on the Isle of Wight this week and is due to be rolled out nationally, if successful, later this month.
However, here Jonathan Martin, partner director EMEA at Anomali, has several concerns about the security and privacy implications of the NHSX app:
1 - Phishing Attacks: No-one knows where to get the app from, so consumers can expect floods of emails with bogus links (to convincing looking domains) to download the app from. The link will simply be a web page that will ask people for more personal information than the genuine app, and will then not even have an App to download. The information will be used in future attacks against the individual.
2 - Smishing Attacks: Similar to a phishing attack, but the phish is done via SMS message. Due to the smaller screen real-estate, people will be less able to check the veracity of the link so will be more trusting and will click it.
3 - Rogue Apps: In some cases, rogue apps will be delivered via the above links that will compromise the phone, allowing attackers to access personally identifiable information (PII) on the device and launch attacks against the user.
4 - Drive-by attacks: Rogue actors will develop apps that beacon out pretending to be an infected person. For example, the attacker walks down a street so that near-by phones will receive the alert and inform the owner that they have to self-isolate and test. Via this sort of attack, it’s possible to force large numbers of people off the streets.
5 - Commercial sabotage: Competing businesses in the high street could set false COVID-19 beacons that a competitors premises is infected (large concentration of positive reports) and so they should stay away.
6 - Attempt Bring down the Government: The apparent swift increase in numbers of infected people (for example caused by the drive-by attacks) causes unrest in the population which leads to the PM/Health Secretary/etc. resigning.
7 - Denial of Service: With the centralised approach the government has adopted, Denial of Service attacks against the data servers will be attempted and could stop people reporting their symptoms/positive cases. This leads to frustration and mistrust of the official app not working.
8 - GPS/Other Localisation data methods: As the app develops, it could request access to other data sources such as GPS/Wi-Fi/Location info. This leads to the possibility of that data being abused by government bodies/organisations involved in the development & maintenance - or leaked via attacks to the data servers.
9 - Scope Creep: Whilst the initial design objective is COVID-19 Track & Trace, the government could slowly roll new features into the app (geo-location, social network monitoring) unbeknownst to UK citizens - mass surveillance via the backdoor. The app effectively becomes the National ID Card.
10 - False Positive Alert: The app won’t be able to understand the context of the users. For example, two people who are queuing side by side in a traffic jam but in different cars will register with each other that they’ve been in close proximity when, in fact, neither is in any danger as the glass provides a physical barrier.