Even though some countries started relaxing their lockdowns, we’re not out of the woods yet. With nearly six and a half million cases (and counting), the COVID-19 pandemic is far from over.
Enter contact tracing apps – many governments’ response to the highly infectious disease. There are tons of them out there, so check this list by ProPrivacy to see which apps work in which countries.
If you’re not familiar with these apps, it’s enough to know they track your interactions with other people. Also, they’re supposed to alert you if you came into contact with anyone who was diagnosed with COVID-19.
Most contact tracing apps use Bluetooth, and that begs the question – are they safe to use? After all, Bluetooth doesn’t have the best track record when it comes to security.
The Problem with Bluetooth
Actually, it’s “problems” since Bluetooth has multiple vulnerability issues– both old and recent. Here are some more notorious examples:
1. BIAS (Bluetooth Impersonation AttackS)
A new research paper found that Bluetooth Classic has serious vulnerabilities that allow hackers to perform an impersonation attack when the connection is established.
According to the researchers, the following issues cause this vulnerability:
- Authentication procedure downgrade.
- No mandatory mutual authentication.
- Very permissive role switching.
For a BIAS attack to be successful, the cyber criminal has to be in wireless range of a Bluetooth device that previously established a connection to another Bluetooth device. It has to be a BR (Basic Rate) or EDR (Enhanced Data Rate) connection, and the attacker has to know the address of the second Bluetooth device.
That doesn’t seem like something that’d happen to you. However, keep this in mind – it does resemble how contact tracing apps that use Bluetooth work. The devices they’re installed on also have to be in wireless range to each other to exchange data. So hackers would have a reason to abuse the vulnerability.
2. Encryption Downgrade (KNOB Attack)
Back in 2019, security researchers discovered a vulnerability in Bluetooth BR/EDR connections. The issue would have allowed hackers to interfere with the connection process.
Basically, they could cause two Bluetooth devices to reduce the length of the encryption key they use. In some devices, they could even set the length to a single octet.
What that technical mumbo-jumbo means to you is that a hacker could use a brute-force attack to crack the encryption immediately after downgrading the encryption.
If you happen to use a Bluetooth device who manufacturer didn’t patch this issue, cybercriminals could exploit it to monitor the data your contact tracing app shares with other devices. That can include sensitive stuff like medical, contact, and biometric information.
In 2017, Amis (a security company) discovered the BlueBorn vulnerability – an issue that allowed hackers to connect to a device via Bluetooth remotely. Safe to say, if anyone were to do this to you, they’d be able to steal a lot of valuable data from you.
The good news is this issue was mostly fixed by vendors through updates. But if you happen to use a device that didn’t receive a patch, you’ll put your data in danger whenever you keep the contact tracing app running since your device will be vulnerable to this attack.
4. Google & Apple’s Decentralized Bluetooth
In April, Google and Apple partnered up to develop a new API that would enable interoperability between iOS and Android devices with contact tracing apps. The API would rely on BLE (Bluetooth Low Energy) signal sand handle data in a decentralized way.
All in all, a pretty nice way to offer privacy. So what’s the problem?
As great as that sounds, Google and Apple’s API is vulnerable to cyber attacks according to the EFF (Electronic Frontier Foundation).
To make a long story short, they say there’s no way to check if a device sending contract-tracing data is the one that generated it. Because of that, hackers could collect data over the air, and then rebroadcast it.
But What’s the Alternative?
Unfortunately, it’s location data. And that’s not any better for your privacy either.
Unlike Bluetooth, location tracking relies on GPS data alongside cellular and WiFi signals. Put together, all that info can be used to accurately trace your whereabouts, or where you’ve been throughout the day (like which coffee shop you visited).
Overall, location data has two big problems:
- It’s very invasive. Health officials and – sometimes – third parties will have access to it.
- If hackers manage to exploit unsecure apps or break into the servers the contact tracing apps share info with, they’ll get access to your location data.
So yeah, not really better than Bluetooth.
What’s the Solution Then?
There really isn’t one. The best thing you can do is check this list by ProPrivacy. It’s a complete guide to 54 contact tracing apps from around the world. It analyzes the apps from a privacy perspective (how they collect and handle data, what privacy frameworks they have in place, etc.), and assigns them a score in terms of how well they handle it.
Our recommendation is to check the list to see if the app that’s available in your area has a good score. If it does, it’s probably safe to use it. We think it’s also a good idea to install antivirus software on all your devices – especially the ones you take with you when going outside. There’s a chance it might protect your from some cyber attacks.
If the app has a bad score, though, there’s not much you can do. Either bite the bullet and use it, or avoid it until a much better one becomes available.
What’s Your Take on Contact Tracing Apps?
Do you think they’re a necessary evil, a great way to fight the pandemic, or a privacy nightmare? Share your thoughts with us in the comments or on social media.
Also, if there’s anything we forgot to mention, feel free to let us know.