How cyber-secure is the NHS Covid-19 app?
Heavily downloaded, built at speed in the middle of a pandemic… should you feel comfortable recommending to staff they download the new track-and-trace app – or does the cyber-risk outweigh the virus gain? SC Media sent Davey Winder to investigate…
The NHS Covid-19 contact tracing app for England and Wales was downloaded over 12 million times by the end of September with the health secretary, Matt Hancock, claiming success as this made it the most quickly downloaded app in the UK ever.
Here's the thing: even at that kind of download level, it needs to do better if it is to work towards halting the spread of the virus. Issues include failed compatibility with older phones, police forces instructing officers not to install the app and reports that some users received erroneous exposure notifications that were actually system checking messages from Apple and Google, according to the Department of Health and Social Care. These stories don't help.
Nor do the two elephants still in the room: privacy and security doubts.
The move to the Apple and Google decentralised model was a direct response to that privacy pachyderm. But, security remains as more than just a metaphorical idiom: it's a genuine concern for many, which is why SC Media UK decided to ask the security industry if these fears were well-founded.
Safety in numbers
So, let's start with the most straightforward question: how secure is the NHS test and trace app in the expert opinion of cybersecurity industry professionals?
The folk at Lookout ran an analysis of both the Android and iOS versions of the app and "found nothing alarming about the permissions or data transfer practices," EMEA technical director, Tom Davidson, told SC Media UK. "Having visibility into permissions and data handling practices of a mobile app is key for security teams that need to align with internal or external compliance requirements," he says.
A US Government memo from last month, jointly written by agencies including the Treasury Department and the FBI, said the North Korean regime had increased its financially motivated hacking efforts this year, after a lull in activity: “Since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs.”
And while it's still "too early to tell how secure it is," according to Morgan Wright, chief security advisor at SentinelOne and a former US State Department special advisor, visibility is something it has going for it as the code is open source. "That means it's subject to review, analysis, and allows crowdsourcing to discover vulnerabilities," Wright concludes.
Candid Wüest, VP of cyber protection research at Acronis, had been looking at the public code repository on Github and says, "from what I can see, the developers are fixing all identified problems."
The need for cyber flossing
One subject that cropped up repeatedly in our conversations was Bluetooth.
Ken Kolderup, CMO at the Bluetooth SIG, told SC Media UK that he was excited to see Bluetooth technology used “in ways where transparency, as well as user consent, privacy, and security, are central to the design”.
That didn't stop several security experts pointing to the threats.
Take Alex Archondakis, managing consultant for web application security at Pentest People, who says: "The main risks lie in a malicious actor finding a way to associate Bluetooth keys with the owner as they would be able to track interactions."
Or Josh Neame, technology director at BlueFort Security, who says there are "certainly risks of Bluesnarfing, when a hacker pairs with your device without your knowledge and compromises your data”.
Neame did admit that as we rely upon Bluetooth for so many different things already, he'd be hesitant to say the NHS app had introduced that risk. The trouble is, of course, that we know people, in general, are poor at applying security updates and patches – and it's people in general that will comprise the vast majority of the NHS app users.
"BlueFrag, for example, was patched in February 2020 in Android," Wüest says. This critical Bluetooth vulnerability impacted Android 8 and 9 users and enabled code execution. "If you have an unpatched device," Wüest continues, "an attacker nearby could easily take over your device and steal your personal data. Users need to update their devices' firmware to help avoid this, but the danger of unpatched vulnerabilities remains."
On the positive side, as Wright notes, there's a minimalist approach to collecting personally identifiable information, and all that PII resides on the phone itself, according to the NHS.
QR eye for a smartphone
But, Wright says there remains an exploit risk, albeit not a very scalable attack vector, from the QR code part of the app: "It's possible to produce a QR code that points to a malicious site, or enables the insertion of malware."
David Critchley, director of UK & Ireland at MobileIron, is also concerned about the QR code risk. "The security controls surrounding QR scanning, now a legal requirement for track and trace, remain unclear," he says, "our latest data has shown that two thirds (66%) of consumers in the UK cannot tell if a QR code is malicious or not."
Because the app is based on the Apple and Google created, and decentralised, exposure notification framework, with neither location data nor PII stored centrally, the risk is at least contained to the device itself. As such, Trustonic CTO, Jason Hart, told SC Media UK, "this app does not increase your risk for breaches from what already exists by owning a mobile phone." By installing the NHS app, users are not compounding or enhancing the risk of data leakage.
Simeon Quarrie, founder and CEO at VIVIDA, summarises that as the app only gathers first names and the first half of a postcode, doesn't track location via GPS, and Bluetooth proximity to other devices and QR locations are only stored for 21 days, "this data alone will probably not be of much use to a cybercriminal." Which, again, is not the same as being risk-free. "The app itself is opening doors to other attack vectors," Quarrie warns, "smishing is one example, I have received text messages asking me to download the app, but have been sensible enough to ignore them."
SC Media UK has been keeping an eye on Dark Web cybercrime forums for vulnerability and attack campaign data focussing on the NHS app. The good news: both our research and threat intelligence experts revealed no evidence of malevolent chatter.
Morgan Wright did add that he "wouldn't expect to see any detectable activity unless and until a significant source of valuable data is established." For now, at least, it appears criminals regard it as a low-value opportunity. Matt Hancock can breathe a little easier. Until he can’t, of course.
Rahim Jina, COO and co-founder of Edgescan, says there is “evidence and some investigative research” to suggest that “COVID-related domains are being snapped up, likely with the intention of using them in forthcoming phishing scams”.
According to Hart, this is why you have to start thinking like a cybercriminal when it comes to assessing risk. “A potential angle for a threat actor is to conduct smishing or phishing attacks on the British public, claiming to be the NHS app and that they found a positive result," he says, "prompting the user to click on a malicious link to lead them to a cloned app, or a fake NHS website.” Such unsophisticated attacks can be highly successful when they use the fear and paranoia of a global pandemic.
When Okta researched more than 2,000 UK consumers into their thoughts about contact tracing app data, it found that 60% were comfortable providing location data if it helped stem the disease's spread. “From our findings,” Okta chief security officer Ben King says, "Brits are more willing than their European counterparts to do this.” This trust mustn't be abused, or that willingness could just as quickly evaporate.
“Risk versus benefit is always a trade-off,” Kings says, “there is never zero risk. This particular implementation is well researched, understood, and documented.” That conclusion is typical of the overall feeling that SC Media UK got from talking to a broad swathe of the cybersecurity industry.
Good enough – getting better
We'll leave the final words to Peter Yapp, a former deputy director of the National Cyber Security Centre and a partner at specialist cyber law firm Schillings.
“The very best security minds have been working on this app since the summer and have concluded that the app is good enough for release. The importance of its release, uptake and use far outweighs any lingering concerns over security which I am confident will be addressed over the coming weeks and months,” Yapp says, "details have been published on Github and the National Cyber Security Centre is actively encouraging security researchers to report any security issues (anonymously if necessary) to their HackerOne Vulnerability Disclosure Programme.”
Key advice for staff
- Download and use the app: the benefits (slowing the virus spread) outweigh the risks
- Keep phones’ firmware up-to-date to install all Bluetooth patches
- Remind staff to be QR savvy – and explain how
- Stay alert (sorry) for phishing and smishing activity