Security Risks with Contact Tracing App for COVID-19

Laura BednarCybersecurity and VulnerabilitiesLeave a Comment

Contact Tracing App Google Apple

Tech giants Apple and Google have decided to work together in an effort to create a system that uses Bluetooth on our mobile phones to detect when you have come into contact with someone who may be positive for Coronavirus. This system is called “contact tracing” and by using mobile phones and their connectivity, public health organizations can see who is infected and identify potential cases.

This may be a positive for organizations that are trying to identify cases without having to physically be near the person. However, the security risks that come with this type of technology may be the beginning of a slippery slope to losing consumer privacy after the pandemic has passed.

Contact Us Now

How Contact Tracing Works

Originally, the idea of contact tracing meant people visiting those who were sick and speaking with them about who they had come in contact with. Eventually, after speaking with those who had been in contact with the ill would be told to monitor their health, and the virus could be stopped from spreading further. With the numbers of COVID-19 cases increasing rapidly, this traditional method couldn’t work as effectively. This new development was created to solve this problem.

Apple and Google are working on a system where phones use Bluetooth data to track when they are near each other. If each phone has the related app and the owner has told the app whether or not they have tested positive for the virus, then anyone within a 30 ft. distance would be notified of that person’s diagnosis. Official apps from public health authorities would also have access to this data.

Initially, users will have to download the app, but the tech companies are working on building tracing functionality into a device’s operating system for anyone with an iOS or Android phone. While a user must opt-in to the contact-tracing API, once you download a public health app tied to the system, it shares your “proximity events” from the past two weeks.

Security Concerns Present and Future

The somewhat unclear implementation methods of either the system being in an OS after updating or being able to be “pinged” about someone with the disease without downloading the app are the tip of the iceberg in terms of security concerns. Our Director of Forensics at SecureData, Allan Buxton, explained some of the issues with this type of technology.

Buxton said this is not the first time this type of technology has been used. Some retail chains have tracked Bluetooth beacons to see what aisles get the most traffic and where shoppers linger. This is similar to how mobile OS publishers keep a database of WiFi access points. Buxton said in order for this technology to work, a few tenets of privacy that OS manufacturers offer must be abandoned:

  • Data can’t be anonymized, because people need to know who is within 30 ft. of them.
  • Data must be shared with researchers and government agencies in non-anonymized format for the entire process to be effective.

Additionally, Buxton looked to the future, where this connection is through our devices, which hold personal information on people. If this system was in place and used to contact trace a patient who had travelled, the companies would have to get contact data from all of the countries in which the person visited. This could lead to problems getting a country to comply with the information request, and if Google shares that data with other countries, what’s to stop them from using it for malicious purposes instead of health-related ones?

“I think OS publishers would be better off providing the data they’ve already collected, pursuant to specific requests as diagnoses come upCertainly a more immediate help,” said Buxton.

Security in a Time of Uncertainty

While Apple and Google claim that they would collaborate with interested stakeholders and publish information about their work to ensure transparency, both companies have previously been in the news for privacy-related issues. There may be some positives that come from this type of technology as far as limiting the number of new cases of COVID-19, but the long-term effects are something to consider moving forward in a connected world.

If you have experienced a data breach, ransomware attack, or other digital cybercrime, call Secure Forensics at 1-800-288-1407. Our examiners can find evidence of a digital crime and create a court-admissible report for your case.