NHS Contact Tracing App Security Issues Detailed
New security issues have been discovered in the UK Government’s NHS contact tracing app, as well as a potential data breach.
The app is currently being trialed on the Isle of Wight and privacy issues have been raised, which the National Cyber Security Centre (NCSC) told BBC News it was already aware of and is in the process of addressing. Raised by researchers Dr Chris Culnane and Vanessa Teague, the main issues include:
In the presence of an untrusted TLS server, the storing and transmitting of unencrypted interaction logs facilitates the recovery of InstallationIDs without requiring access to the Authority Private Key
Long lived BroadcastValues undermine BLE specified privacy protections and could reveal additional lifestyle attributes about a user who submits their data
The monitoring of interactions at eight second intervals could create unique interaction signatures that could be used to pairwise match device interactions, and when combined with unencrypted submission, allow the recovery of InstallationID from BroadcastValue without access to the Authority Private Key
The use of a deterministic counter to trigger KeepAlive updates risks creating an identifier that could be used to link BroadcastValues over multiple days
The researchers praised the “cryptographic protocol of the UK’s app [that] ..
Support the originator by clicking the read the rest link below.