Laughable security flaws identified in NHS contact tracing app
What you need to know
- Security experts have exposed laughable flaws in the NHS' contact tracing app.
- Source code analysis revealed seven holes.
- Staggeringly, the random ID code used to protect user privacy only changes once every 24 hours, and the beta for the app was published before encryption was finished.
A security report based on source code analysis of the NHS' contact tracing app has revealed several serious security flaws in the software.
As reported by Business Insider:
The report in question comes from State of It, and two cybersecurity experts based in Australia. To the app's credit, the report notes that the UK's effort has better mitigation than Singapore and Australia's app, however, they remain unconvinced that "the perceived benefits of centralized tracing outweigh its risks."
As summarized by Business Insider:
Not only that, but staggeringly, the rotating random ID code which is used to protect users' privacy only changes once a day. By comparison, Apple and Google's API does this every 10-20 minutes.
In a further, perhaps even more shocking revelation, the National Cyber Security Centre published a response to report, noting the following on encryption:
"Just couldn't be done in time for the beta." Rather than delay the release of the beta so that they could, you know, encrypt the data, NHSX just pushed the app out anyway. Great work everyone.
The report states in conclusion:
There are admirable parts of the implementation and once the already mentioned changes and updates are made, many of the concerns raised in this report will have been addressed. However, there remains some concern as to how privacy and utility are being balanced. The long-lived BroadcastValues, and detailed interaction records, remain a concern. Whilst we understand that more detailed records may be desirable for the epidemiological models, it must be balanced with privacy and trust if sufficient adoption of the app is to take place.
Get the best of iMore in your inbox, every day!
Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.
Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9
Laughable is the description of the whole of the UK's response to COVID-19.
Genocidal is another description.