Contact tracing apps unsafe if Bluetooth vulnerabilities not fixed

With governments increasingly looking to use contact tracing apps to help contain COVID-19, such initiatives are likely to spark renewed interest in Bluetooth attacks which means there is a need for assurance that these apps are regularly tested and vulnerabilities patched.
Written by Eileen Yu, Senior Contributing Editor

As more governments turn to contact tracing apps to aid in their efforts to contain the coronavirus outbreak, cybersecurity experts are warning this may spark renewed interest in Bluetooth attacks. They urge developers to ensure such apps are regularly tested for vulnerabilities and release patches swiftly to plug potential holes, while governments should provide assurance that their databases are secure and the data collected will not be used for purposes other than as originally intended. 

Users should also take the necessary steps to safeguard their personal data and prevent their devices from becoming the target of cybercriminals.

According to Acronis' co-founder and technology president Stas Protassov, Bluetooth has had several vulnerabilities in the past, including as recently as February when BlueFrag, a critical vulnerability that affected multiple Android and Apple iOS devices which then required patching. 

Left unpatched, devices could be breached by hackers within the vicinity and the user's personal data stolen, Protassov warned. He also stressed the need for users to update their devices' firmware to ensure vulnerabilities are promptly fixed. And as with any app, they also should check the permissions that all contact tracing apps requested. 

Most of these apps, including Singapore's TraceTogether, use Bluetooth signals to detect others in close proximity, and security observers say it could leave the smartphone susceptible to threats, especially if there are undiscovered or unfixed vulnerabilities. 

"People will want to download these apps to help curb the pandemic, but they also need to be aware of the cyber protection risks they are taking on. Only install official apps," Protassov said, noting that malicious lookalike apps likely are already being developed and would be released soon after the official ones.

HackerOne's technical program manager Niels Schweisshelm also highlighted the critical vulnerabilities linked to the Bluetooth protocol and its implementations, which were exploitable by remote attackers and enabled arbitrary code execution on affected Android devices. 

While these have since been fixed, Schweisshelm said the fixes offer no guarantee that Bluetooth and its implementations would be free from future vulnerabilities. He added that security research in the near future was expected to focus heavily on wireless technology and this could uncover other similar vulnerabilities. 

Tom Kellermann, VMware Carbon Black's head of cybersecurity strategy, also underscored the need for contact tracing apps to be regularly tested for vulnerabilities and critical updates to be released swiftly. He said they should be configured to be automatically updated and prevented from interacting with mobile smart assistants. 

Noting that Bluetooth attacks, similar to mobile app attacks, likely would remain in circulation, Kellermann said users should only turn on the wireless technology when they leave their home and limit the location settings to run only when in use. 

Governments, too, should ensure backend databases were secure and regularly conduct application testing to mitigation exploitation of contact tracing apps. 

Any personally identifiable information (PII) collected would need to be properly stored and encrypted, said Protassov, who noted that the data preferably should not be stored at all. He added that all possible precaution must be taken to avoid a massive data leak such as that involving Equifax

Pointing to Singapore where Acronis is headquartered, he said the government has been transparent in its communication about the country's contact tracing app, TraceTogether. He said governments worldwide should clearly state what information is being gathered by contact tracing apps, how this data is collected, and who has access to the data. And where possible, the data should be anonymised, or at least pseudonymised, he noted.  

According to the Singapore government, its TraceTogether app does not collect any location data nor ask for the user's mobile phone during setup. Meanwhile, any data collected is held by the Ministry of Health (MOH) and stored in "a highly secured server" along with a random anonymised user ID that is linked to the mobile number. 

When TraceTogether is running on the phone, it creates a temporary ID that is generated by encrypting the user ID with a private key, which is held by the Health Ministry. The temporary ID is then exchanged with nearby phones and renewed regularly, making it difficult for anyone to identify or link the temporary IDs to the user, said GovTech, the government agency behind the contact tracing app. It noted that the temporary ID could only be decrypted by the Health Ministry. 

It added that the TraceTogether app shows connections between devices, not their locations, and this data log is stored on the user's phone and shared with the ministry -- with the user's consent -- when needed for contact tracing

GovTech said: "Your phone will store the temporary IDs from nearby phones, together with information about the nearby phone's model, Bluetooth signal strength, and time. All this information is stored locally on your phone, and not sent to MOH, unless you are contact traced."

Bluetooth creates wider attack surface that must be properly reviewed

Synopsys Software Integrity Group's senior security consultant Samantha Isabelle Beaumont cautioned that contact tracing apps allowed attackers to access users' Bluetooth as well as read all Bluetooth communications on their connected devices, including their car, the music they listened to, household IoT (Internet of Things) devices, amongst others. 

Beaumont recommended that users protect themselves by limiting various components, such as the number of apps they download, the number of Bluetooth items with which they pair, the number of Bluetooth items they keep as whitelisted -- or known devices -- and the amount of information they transfer over Bluetooth.

The Singapore government, however, said it was unlikely hackers could breach a device without the targeted user's knowledge.

GovTech said Bluetooth transmits signals within a range of some 10 metres and it would be "difficult for anyone to get close enough to you, and use a computer to extract information from your phone without you noticing".  It did urge users to ensure their phone's operating system was updated. 

Acronis CISO Kevin Reed noted that it was the belief amongst developers that attacks needed to be carried out in close range and, hence, would be less exposed to attacks.

Although, opportunistic hackers did not care whether they launched attacks via Bluetooth or internet by scouting devices in a crowded place, which he acknowledged, was less easy to do in Singapore with the current social distancing rules

Reed added that developers might have less experience with Bluetooth, compared to online platforms, and could overlook certain elements that might result in a bug or vulnerability. 

Furthermore, with Bluetooth now an additional functionality that needed to be activated, this would create a wider attack surface, he said. 

Schweisshelm said governments should properly assess the entire attack surface created by contact tracing apps, including static source code reviews as well as dynamic application testing, to discover any vulnerabilities. 

RSA CTO Zulfikar Ramzan took a more moderate view of Bluetooth's security risks, acknowledging that while the wireless technology had several security issues since it was introduced some two decades ago, it now was a mature protocol and more trustworthy than recent ones. 

However, no digital system is immune to attacks, but this could improve over time, Ramzan said. He added that systems designers should continuously improve their products and advised users to ensure all software on their phones are updated. They also should examine the settings on the mobile device, particularly those associated with privacy, to check whether any unnecessary activity is running. 

He explained that because Bluetooth provided a mechanism to identify the proximity of two individuals without requiring actual knowledge of the location, it would be a preferred option against other approaches such as GPS, which revealed not just proximity but also the location of individuals.

"From a privacy perspective, it is desirable to build contact tracing apps that collect the minimum information needed to determine two individuals are in contact with each other," he said. "Doing so does not actually require collecting precise location information, but rather involves determining if two people are in the same place."

Beyond security and privacy, a bigger concern involved fairness, he noted. For instance, could systems be implemented in a way to ensure the data collected would not be abused and used for purposes other than what was originally intended? 

For these apps to gain traction and earn trust, he stressed that governments needed to implement checks and balances to reduce the likelihood of the data collected being misused. More so, organisations involved in the design of these systems and their components should have robust procedures in place for responding to new security issues expeditiously, he added.

Ramzan said: "We live today in a golden age of surveillance where our actions leave behind a trail of digital breadcrumbs. By correlating data collected from contact tracing apps with other surveillance data, the level of privacy exposure can be magnified in substantial ways."

Contact tracing app development will pique hacker interest

None of the security vendors ZDNet spoke with noted a significant increase in attacks targeting Bluetooth devices, but most agreed the recent initiatives around contact tracing apps were likely to renew interest amongst cybercriminals. 

Protassov said: "Bluetooth is just a vessel. The real attacks are happening on the applications operating with Bluetooth data. Exploiting those applications is the attackers' ultimate goal. Such attacks are often opportunistic and close-range."

He further noted that with millions now downloading such apps, a database of information that previously was difficult to obtain has now opened up to potential attackers. "As we have seen with COVID-19 scams, attackers follow trends and millions new users moving to a rapidly developed platform makes it a great target," he said. 

With so many devices now with Bluetooth capabilities, this would fuel interest amongst hackers, he added.

Ramzan concurred, noting that while there had been little indication so far of increased attacks, there likely would be renewed interest in contact tracing apps as these become more widespread. In fact, it was "virtually a certainty" that new attacks would be published, but the more salient question will be whether these attacks are pragmatic, he said.

He explained that cybersecurity researchers often conceived of creative and spectacular attacks, but, oftentimes, these attacks only worked under very precise conditions and required tremendous resources. At that point, no reasonable threat actor would implement them, he said. 

Kellermann also revealed that the Carbon Black Threat Analysis Unit had yet to see an increase in attacks targeting Bluetooth devices, but expressed concerns for low frequency attacks due to the ubiquity of mobile payments. He, too, cautioned of a strong likelihood that such attacks could spike as more contact tracing apps are deployed, since this created a nefarious business model for coercion and extortion. 

Beaumont also noted the likely increase in such attacks, adding: "The more backdoors built into a system, the more access and holes an attacker can use as leverage to compromise a device. Therefore, if we can limit the amount of contact tracing added or required on a system, the more we can lock down the mechanism from external threats."

Before downloading such apps, Check Point Software Technologies' Asia-Pacific CTO Tony Jarvis said he would want to know what data is collected, who has access to the data, and what they plan to do with the information. "I would also want to know what other applications or permissions on the phone this app has access to. Some sort of official statement indicating personal data is protected will be necessary before I download and use such apps."

Ramzan highlighted the need to know what data specifically would be collected, how it would be kept confidential, and whether it would be shared or correlated with other data. He also would ask about what checks and balances would be in place to ensure the data is not misused, as well as the procedures that would be put in place to respond to security incidents. 

Kellermann also would want to ascertain if developers performed Open Web Application Security Project (OWASP) testing, and if vulnerabilities were uncovered, whether these were remediated, and whether users could limit the app's access to GPS location and smart assistant services. 

When asked, GSM Association would not comment directly on the developments around contact tracing apps, noting that such efforts were driven mainly by governments. The industry body, however, urged the adoption of best practice recommendations such as the GSMA Privacy Design Guidelines for App Development to enable app developers, operating systems developers, and consortia such as PEPP-PT to design privacy and security into their software.

PEPP-PT, or Pan-European Privacy Preserving Proximity Tracing, was established to support the tracing of infection chains across national borders by providing "standards, technology, and services" to countries and developers. The organisation describes itself as a "large and inclusive European team" and its members include Heartbeat Labs, PocketCampus, Vodafone, 3db, and ISI.


Editorial standards