Analysis of the source code for the UK contact tracing app has revealed no fewer than seven security flaws.

One of these is that the random code assigned to users is only changed once a day, making it much easier to de-anonymize individuals …

This contrasts with the Apple/Google API, which assigns a new random code every 15 minutes.

The British government bowed to pressure from privacy advocates to make the source code available so that claims about the security safeguards could be independently verified. Two cybersecurity academics have now completed their review of the code, and their report highlights what they describe as ‘serious’ security flaws.

In this report we show the following.

  • In the presence of an untrusted TLS server, the registration process does not properly guarantee either the integrity of the authority public key or the privacy of the shared secrets established at registration. The result completely undermines core security goals of the protocol, including its privacy and its resistance to spoofing and manipulation.
  • In the presence of an untrusted TLS server, the storing and transmitting of unencrypted interaction logs facilitates the recovery of InstallationIDs without requiring access to the Authority Private Key.
  • Long lived BroadcastValues undermine BLE specified privacy protections and could reveal additional lifestyle attributes about a user who submits their data.
  • The monitoring of interactions at 8 second intervals could create unique interaction signatures that could be used to pairwise match device interactions, and when combined with unencrypted submission, allow the recovery of InstallationID from BroadcastValue without access to the Authority Private Key.
  • The use of a deterministic counter to trigger KeepAlive updates risks creating an identifier that could be used to link BroadcastValues over multiple days.

Business Insider describes the implications in less technical terms.

The vulnerabilities include one which could allow hackers to intercept notifications and either block them or send out bogus ones telling people they’ve come into contact with someone carrying COVID-19 […]

Privacy researcher Samuel Woodhams told Business Insider the report shows the UK’s decision to build a centralized app needs a “substantial rethink.”

“As the report shows, the current approach considerably increases the risk that sensitive data collected by the app will be exposed or manipulated. By only generating a random ID code once a day, the risks of identifying an individual are dramatically increased. This could have significant repercussions for users’ privacy and lead to serious real-world consequences,” Woodhams said.

The UK contact tracing app is currently being trialled on the Isle of Wight. Adoption has now reached more than 50% of the population, an impressive result but still substantially below the 80% adoption epidemiologists say is needed.

The team estimates that 56% of the general population must use the app to halt the coronavirus outbreak. Prof Fraser said that equated to 80% of all existing smartphone owners, based on data from Ofcom.

The UK is currently considering a rethink that would see the app switch to using the Apple/Google API which has eight privacy safeguards.

FTC: We use income earning auto affiliate links. More.

Incipio Organicore iPhone case

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy's favorite gear