NHS Contact Tracing App Security Issues Detailed

New security issues have been discovered in the UK Government’s NHS contact tracing app, as well as a potential data breach.

The app is currently being trialed on the Isle of Wight and privacy issues have been raised, which the National Cyber Security Centre (NCSC) told BBC News it was already aware of and is in the process of addressing. Raised by researchers Dr Chris Culnane and Vanessa Teague, the main issues include:

In the presence of an untrusted TLS server, the registration process does not properly guarantee either the integrity of the authority public key or the privacy of the shared secrets established at registration. The result completely undermines core security goals of the protocol, including its privacy and its resistance to spoofing and manipulation
In the presence of an untrusted TLS server, the storing and transmitting of unencrypted interaction logs facilitates the recovery of InstallationIDs without requiring access to the Authority Private Key
Long lived BroadcastValues undermine BLE specified privacy protections and could reveal additional lifestyle attributes about a user who submits their data
The monitoring of interactions at eight second intervals could create unique interaction signatures that could be used to pairwise match device interactions, and when combined with unencrypted submission, allow the recovery of InstallationID from BroadcastValue without access to the Authority Private Key
The use of a deterministic counter to trigger KeepAlive updates risks creating an identifier that could be used to link BroadcastValues over multiple days

The researchers praised the “cryptographic protocol of the UK’s app [that] ..

Support the originator by clicking the read the rest link below.