Contact tracing apps unsafe if Bluetooth vulnerabilities not fixed
As more governments turn to contact tracing apps to aid in their efforts to contain the coronavirus, cybersecurity experts are warning this may spark renewed interest in Bluetooth attacks. They urge developers to ensure such apps are regularly tested for vulnerabilities and release patches swiftly to plug potential holes, while governments should provide assurance that their databases are secure and the data collected will not be used for purposes other than is originally intended.
Users also should take the necessary steps to safeguard their personal data and prevent their devices from becoming the target of cybercriminals.
According to Acronis’ co-founder and technology president Stas Protassov, Bluetooth had several vulnerabilities in the past including as recent as February where BlueFrag, a critical vulnerability that affected Android devices, was patched, and multiple ones in Apple iOS devices.
Left unpatched, these devices could be breached by hackers within the vicinity and the user’s personal data stolen, Protassov warned, and stressed the need for users to update their devices’ firmware to ensure vulnerabilities were promptly fixed. And as with any app, they also should check the permissions that all contact tracing apps requested.
Most of these apps, including Singapore’s TraceTogether, use Bluetooth signals to detect others in close proximity, and security observers say it may leave the smartphone susceptible to threats, especially if there are undiscovered or unfixed vulnerabilities.
“People will want to download these apps to help curb the pandemic, but they also need to be aware of the cyber protection risks they are taking on. Only install official apps,” Protassov said, noting that malicious look-alike apps likely already were being developed and would be released soon after official ones.
HackerOne’s technical program manager Niels Schweisshelm also highlighted the critical vulnerabilities linked to the Bluetooth protocol and its implementations, which were exploitable by remote attackers and enabled arbitrary code execution on affected Android devices.
While these since had been fixed, Schweisshelm said it offered no guarantee that Bluetooth and its implementations would be free from future vulnerabilities. He added that security research in the near future was expected to focus heavily on the wireless technology and this could uncover other similar vulnerabilities.
Tom Kellermann, VMware Carbon Black’s head of cybersecurity strategy, also underscored the need for contact tracing apps to be regularly tested for vulnerabilities and critical updates to be released swiftly. He said they should be configured to be automatically updated and prevented from interacting with mobile smart assistants.
Noting that Bluetooth attacks, similar to mobile app attacks, likely would remain in circulation, Kellermann said users should only turn on the wireless technology when they leave their home and limit the location settings to run only when in use.
Governments, too, should ensure backend databases were secure and regularly conduct application testing to mitigation exploitation of contact tracing apps.
Any personally identifiable information (PII) collected would need to be properly stored and encrypted, said Protassov, who noted that the data preferably should not be stored at all. He added that all possible precaution must be taken to avoid a massive data leak such as that involving Equifax.
Pointing to Singapore where Acronis is headquartered, he said the government here had been transparent in its communication about the country’s contact tracing app, TraceTogether. He said governments worldwide should clearly state what information was gathered by contact tracing apps, how this data was collected, and who had access to the data. And where possible, the data should be anonymised, or at least pseudonymised, he noted.
According to the Singapore government, its TraceTogether app does not collect any location data and asks for the user’s mobile phone during setup, which is held by the Health Ministry and stored in “a highly secured server” along with a random anonymised user ID that is linked to the mobile number.
When TraceTogether is running on the phone, it creates a temporary ID that is generated by encrypting the user ID with a private key, which is held by the Health Ministry. The temporary ID is then exchanged with nearby phones and renewed regularly, making it difficult for anyone to identify or link the temporary IDs to the user, , said GovTech, the government agency behind the contact tracing app. It noted that the temporary ID can only be decrypted by the Health Ministry.
It added that the TraceTogether app shows connections between devices, not their locations, and this data log is stored on the user’s phone and shared with the ministry–with the user’s consent–when needed for contact tracing
GovTech said: “Your phone will store the temporary IDs from nearby phones, together with information about the nearby phone’s model, Bluetooth signal strength, and time. All this information is stored locally on your phone, and not sent to MOH, unless you are contact traced.”
Bluetooth creates wider attack surface that must be properly reviewed
Synopsys Software Integrity Group’s senior security consultant Samantha Isabelle Beaumont cautioned that contact tracing apps allowed attackers to access users’ Bluetooth as well as read all Bluetooth communications on their connected devices, including their car, the music they listened to, household IoT (Internet of Things) devices, amongst others.
Beaumont recommended users protected themselves by limiting various components such as the number of apps they downloaded, the number of Bluetooth items with which they paired, the number of Bluetooth items they kept as whitelisted–or known devices–and the amount of information they transferred over Bluetooth.
The Singapore government, however, said it was unlikely hackers could breach a device without the targeted user’s knowledge.
GovTech said Bluetooth transmits signals within a range of some 10 metres and it would be “difficult for anyone to get close enough to you, and use a computer to extract information from your phone without you noticing”. It did urge users to ensure their phone’s operating system was updated.
Acronis CISO Kevin Reed noted that it was the belief amongst developers that attacks needed to be carried out close range and, hence, less exposed to attacks, which could result in Bluetooth apps being less secure.
Opportunistic hackers did not care whether they launched attacks via Bluetooth or internet by scouting devices in a crowded place, which he acknowledged, was less easy to do in Singapore with the current social distancing rules.
Reed added that developers might have less experience with Bluetooth, compared to online platforms, and could overlook certain elements that might result in a bug or vulnerability.
Furthermore, with Bluetooth now an additional functionality that needed to be activated, this would create a wider attack surface, he said.
Schweisshelm said governments should properly assess the entire attack surface created by contact tracing apps, including static source code reviews as well as dynamic application testing, to discover any vulnerabilities.
RSA CTO Zulfikar Ramzan took a more moderate view of Bluetooth’s security risks, acknowledging that while the wireless technology had several security issues since it was introduced some two decades ago, it now was a mature protocol and more trustworthy than recent ones.
However, no digital system was immune to attacks, which would only improve over time, Ramzan said. He added that systems designers should continuously improve their products and advised users to ensure all software on their phones were updated. They also should examine the settings on the mobile device, particularly those associated with privacy, to check whether any unnecessary activity was running.
He explained that because Bluetooth provided a mechanism to identify the proximity of two individuals without requiring actual knowledge of the location, it would be a preferred option against other approaches such as GPS, which revealed not just proximity but also the location of individuals.
“From a privacy perspective, it is desirable to build contact tracing apps that collect the minimum information needed to determine two individuals are in contact with each other,” he said. “Doing so does not actually require collecting precise location information, but rather involves determining if two people are in the same place.”
Beyond security and privacy, a bigger concern involved fairness, he noted. For instance, could systems be implemented in a way to ensure the data collected would not be abused and used for purposes other than what was originally intended?
For these apps to gain traction and earn trust, he stressed that governments needed to implement checks and balances to reduce the likelihood of the data collected being misused. More so, organisations involved in the design of these systems and their components should have robust procedures in place for responding to new security issues expeditiously, he added.
Ramzan said: “We live today in a golden age of surveillance where our actions leave behind a trail of digital breadcrumbs. By correlating data collected from contact tracing apps with other surveillance data, the level of privacy exposure can be magnified in substantial ways.”
Contact tracing app development will pique hacker interest
None of the security vendors ZDNet spoke with noted a significant increase in attacks targeting Bluetooth devices, but most agreed the recent initiatives around contact tracing apps was likely to renew interest amongst cybercriminals.
Protassov said: “Bluetooth is just a vessel. The real attacks are happening on the applications operating with Bluetooth data. Exploiting those applications is the attackers’ ultimate goal. Such attacks are often opportunistic and close-range.”
He further noted that with millions now downloading such apps, a database of information that previously was difficult to obtain now was opened up to potential attackers. “As we have seen with COVID-19 scams, attackers follow trends and millions new users moving to a rapidly developed platform makes it a great target,” he said.
With so many devices now with Bluetooth enabled, this would fuel interest amongst hackers, he added.
Ramzan concurred, noting that while there had been little indication so far of increased attacks, there likely would be renewed interest in contact tracing apps as these became more widespread. In fact, it was “virtually a certainty” that new attacks would be published, but the more salient question was whether these attacks were pragmatic, he said.
He explained that cybersecurity researchers often conceived of creative and spectacular attacks, but, oftentimes, these attacks only worked under very precise conditions and required tremendous resources. At that point, no reasonable threat actor would implement them, he said.
Kellermann also revealed that the Carbon Black Threat Analysis Unit had yet to see an increase in attacks targeting Bluetooth devices, but expressed concerns for low frequency attacks due to the ubiquity of mobile payments. He, too, cautioned of a strong likelihood such attacks could spike as more contact tracing apps were deployed, since this created a nefarious business model for coercion and extortion.
Beaumont also noted the likely increase in such attacks, adding: “The more backdoors built into a system, the more access and holes an attacker can use as leverage to compromise a device. Therefore, if we can limit the amount of contact tracing added or required on a system, the more we can lock down the mechanism from external threats.”
Before downloading such apps, Check Point Software Technologies’ Asia-Pacific CTO Tony Jarvis said he would want to know what data was collected, who had access to the data, and what they planned to do with the information. “I would also want to know what other applications or permissions on the phone this app has access to. Some sort of official statement indicating personal data is protected will be necessary before I download and use such apps.”
Ramzan highlighted the need to know what data specifically was collected, how it would be kept confidential, and wether it would be shared or correlated with other data. He also would ask about the checks and balances in place to ensure the data was not misused and the procedures put in place to respond to security incidents.
Kellermann also would want to ascertain if the developers performed Open Web Application Security Project (OWASP) testing, and if vulnerabilities were uncovered, whether these were remediated, and whether users could limit the app’s access to GPS location and smart assistant services.
When asked, GSM Association would not comment directly on the developments around contact tracing apps, noting that such efforts were driven mainly by governments. The industry body, however, urged the adoption of best practice recommendations such as the GSMA Privacy Design Guidelines for App Development to enable app developers, operating systems developers, and consortia such as PEPP-PT to design privacy and security into their software.
PEPP-PT, or Pan-European Privacy Preserving Proximity Tracing, was established to support the tracing of infection chains across national borders by providing “standards, technology, and services” to countries and developers. The organisation describes itself as a “large and inclusive European team” and its members include Heartbeat Labs, PocketCampus, Vodafone, 3db, and ISI.