Laughable security flaws identified in NHS contact tracing app

A security report based on source code analysis of the NHS' contact tracing app has revealed several serious security flaws in the software.

As reported by Business Insider:

The UK government's contact-tracing app has got a number of serious security flaws according to cybersecurity experts who analyzed its source code.

A report by two cybersecurity experts, Dr. Chris Culnane and Vanessa Teague, was published on Tuesday. They identified seven security risks around the app, which is currently being trialled on the Isle of Wight and is supposed to be rolled out to the rest of the UK in the next week or two.

The report in question comes from State of It, and two cybersecurity experts based in Australia. To the app's credit, the report notes that the UK's effort has better mitigation than Singapore and Australia's app, however, they remain unconvinced that "the perceived benefits of centralized tracing outweigh its risks."

As summarized by Business Insider:

The vulnerabilities include one which could allow hackers to intercept notifications and either block them or send out bogus ones telling people they've come into contact with someone carrying COVID-19. The researchers also noted that unencrypted data stored on users' handsets could feasibly be accessed by law enforcement. Although the UK government has insisted the data would be used for nothing other than its COVID-19 response, a group of 177 cybersecurity experts have already called on it to introduce safeguards protecting the data from being repurposed for surveillance.

Not only that, but staggeringly, the rotating random ID code which is used to protect users' privacy only changes once a day. By comparison, Apple and Google's API does this every 10-20 minutes.

In a further, perhaps even more shocking revelation, the National Cyber Security Centre published a response to report, noting the following on encryption:

The beta version of the app doesn't encrypt the proximity contact event data on the phone, and we don't independently encrypt it before sending to the server. So when it's transferred to the back end, it's protected only by TLS. If Cloudflare went bad (or someone compromised them), they could get access to that proximity log data. The NHS team absolutely understand that data has value and needs to be protected properly, but encryption of the proximity logs just couldn't be done in time for the beta. This will be fixed and will in addition mitigate the physical access to logs above.

"Just couldn't be done in time for the beta." Rather than delay the release of the beta so that they could, you know, encrypt the data, NHSX just pushed the app out anyway. Great work everyone.

The report states in conclusion:

There are admirable parts of the implementation and once the already mentioned changes and updates are made, many of the concerns raised in this report will have been addressed. However, there remains some concern as to how privacy and utility are being balanced. The long-lived BroadcastValues, and detailed interaction records, remain a concern. Whilst we understand that more detailed records may be desirable for the epidemiological models, it must be balanced with privacy and trust if sufficient adoption of the app is to take place.