Cybersecurity experts found seven flaws in the UK's contact-tracing app

• Two cybersecurity researchers have identified seven security flaws in the UK government's COVID-19 contact-tracing app.
• The app is currently being trialed on the Isle of Wight before being rolled out to the rest of the UK population.
• The researchers recommend that the app switch from using a centralized approach, which pools user data in a central server, to a decentralized approach.

The UK government's contact-tracing app has got a number of serious security flaws according to cybersecurity experts who analyzed its source code.

A report by two cybersecurity experts, Dr Chris Culnane and Vanessa Teague, was published on Tuesday. They identified seven security risks around the app, which is currently being trialled on the Isle of Wight and is supposed to be rolled out to the rest of the UK in the next week or two.

The way it works is once you download the app, your phone gets assigned a random number ID that changes every day. It then sends out Bluetooth signals, and if it recognises another phone with the app downloaded, it makes a note of that phones ID number in a log. If a user reports themselves as having symptoms, their phone sends a notification to every other phone it has saved in that log over the past two weeks.

The vulnerabilities include one which could allow hackers to intercept notifications and either block them or send out bogus ones telling people they've come into contact with someone carrying COVID-19.

The researchers also noted that unencrypted data stored on users' handsets could feasibly be accessed by law enforcement. Although the UK government has insisted the data would be used for nothing other than its COVID-19 response, a group of 177 cybersecurity experts have already called on it to introduce safeguards protecting the data from being repurposed for surveillance.

In building its app, the UK decided to reject the customized contact-tracing API (application program interface) put out by Apple and Google. This is because Apple and Google require anyone using their API to build a "decentralized" app, meaning all data processing would stay local to the users' handset. The UK decided to opt for a centralized approach, drawing user data into a central server so it could more easily analyze the data it pulls in.

This has already thrown up data protection concerns, as well as worries that it may impede the functionality of the app on iPhones. In their report Culnane and Teague say a decentralized app would be better. "The huge advantage of the Google/Apple decentralized API is that there's no central database that retains information about every infected person's contacts," Teague told Business Insider.

There is a possibility that a Google/Apple NHS app could emerge, as the Financial Times reported earlier this month the government was quietly working on a second app using the tech giants' API.

They also highlight that while both the NHS and the Google/Apple API use rotating random ID codes to protect users' privacy, the NHS app only switches up the numbers once per day, while the Google/Apple API does so every 15 minutes.

The UK vs. Silicon Valley

Privacy researcher Samuel Woodhams told Business Insider the report shows the UK's decision to build a centralized app needs a "substantial rethink."

"As the report shows, the current approach considerably increases the risk that sensitive data collected by the app will be exposed or manipulated. By only generating a random ID code once a day, the risks of identifying an individual are dramatically increased. This could have significant repercussions for users' privacy and lead to serious real-world consequences," Woodhams said.

"Recent developments have once again shown that the UK's approach is lagging behind the more privacy-friendly and probably more effective approach taken by Apple and Google," he added.

The report was shared with Britain's cybersecurity center NCSC prior to publication, and Teague said NCSC has already committed to fix some of the bugs identified, but others (like the 24 hour ID rotation) it had only committed to "review."

NCSC director Ian Levy publicly thanked the researchers for their work in a blog post. "In future versions, the team are going to try to publish a summary of the backlog of issues, so people can see what we know about, but haven't had time to fix yet. The app is a work in progress, and future versions will have all these issues fixed," Levy writes.

For the contact-tracing app to be effective, it needs to be adopted by roughly 56% of the UK's population, epidemiologists have told the NHS. The researchers note that to do this the public need to feel like they can trust the app.

"The messaging around the app, and in particular suggestions of broadening the data collected, combined with insufficient legislative protections, a lack of siloing of the data, and no sunsetting of the data retention or usage, risk undermining the trust that has been earned," they conclude.

Read the original article on Business Insider