Laughable security flaws identified in NHS contact tracing app

Nhs Contact Tracing
Nhs Contact Tracing (Image credit: NHSX)

What you need to know

  • Security experts have exposed laughable flaws in the NHS' contact tracing app.
  • Source code analysis revealed seven holes.
  • Staggeringly, the random ID code used to protect user privacy only changes once every 24 hours, and the beta for the app was published before encryption was finished.

A security report based on source code analysis of the NHS' contact tracing app has revealed several serious security flaws in the software.

As reported by Business Insider:

The UK government's contact-tracing app has got a number of serious security flaws according to cybersecurity experts who analyzed its source code.A report by two cybersecurity experts, Dr. Chris Culnane and Vanessa Teague, was published on Tuesday. They identified seven security risks around the app, which is currently being trialled on the Isle of Wight and is supposed to be rolled out to the rest of the UK in the next week or two.

The report in question comes from State of It, and two cybersecurity experts based in Australia. To the app's credit, the report notes that the UK's effort has better mitigation than Singapore and Australia's app, however, they remain unconvinced that "the perceived benefits of centralized tracing outweigh its risks."

As summarized by Business Insider:

The vulnerabilities include one which could allow hackers to intercept notifications and either block them or send out bogus ones telling people they've come into contact with someone carrying COVID-19. The researchers also noted that unencrypted data stored on users' handsets could feasibly be accessed by law enforcement. Although the UK government has insisted the data would be used for nothing other than its COVID-19 response, a group of 177 cybersecurity experts have already called on it to introduce safeguards protecting the data from being repurposed for surveillance.

Not only that, but staggeringly, the rotating random ID code which is used to protect users' privacy only changes once a day. By comparison, Apple and Google's API does this every 10-20 minutes.

In a further, perhaps even more shocking revelation, the National Cyber Security Centre published a response to report, noting the following on encryption:

The beta version of the app doesn't encrypt the proximity contact event data on the phone, and we don't independently encrypt it before sending to the server. So when it's transferred to the back end, it's protected only by TLS. If Cloudflare went bad (or someone compromised them), they could get access to that proximity log data. The NHS team absolutely understand that data has value and needs to be protected properly, but encryption of the proximity logs just couldn't be done in time for the beta. This will be fixed and will in addition mitigate the physical access to logs above.

"Just couldn't be done in time for the beta." Rather than delay the release of the beta so that they could, you know, encrypt the data, NHSX just pushed the app out anyway. Great work everyone.

The report states in conclusion:

There are admirable parts of the implementation and once the already mentioned changes and updates are made, many of the concerns raised in this report will have been addressed. However, there remains some concern as to how privacy and utility are being balanced. The long-lived BroadcastValues, and detailed interaction records, remain a concern. Whilst we understand that more detailed records may be desirable for the epidemiological models, it must be balanced with privacy and trust if sufficient adoption of the app is to take place.

Stephen Warwick
  • Which is why I've said I won't install it. The vindication is bittersweet.
  • Which is why you will stand a higher chance of killing someone. Selfish to the last. Indeed, bittersweet.
  • Haha i haven't left my house in the last 2 months except to throw away rubbish. I've cut deliveries to the bare essentials. I'm fairly sure it's been 4 weeks since my last face to face interaction which was with a delivery guy who chose to ignore the distancing protocols and hand me the package. Who am I going to kill, exactly? This article is literally about how this app is unsafe to install. How thick are you? It would e irresponsible to willingly compromise your phone's security by installing an app you know is compromised. Your name is apropos... Damn trolls get into everything lol.
  • Compleate and total rubbish, the reason for the app is to make it look like the government is doing something, the same reason why smart meters are being pushed onto people, so it looks like the government is doing something to help the environment and it will do nothing what so ever.
    The App is a lie, and will not solve any problems, nor will people not using it have any higher chance of killing someone who don't use it.
    What about people who do not have a smartphone? In my job if I had the app on my phone, it may ping a lot and then also will then colleagues phones, so we close the place down and all go home? Saying that I don't have my phone with me at work i leave it in my locker, it is safer in there. i have been reading about this app and i am amazed at how they have gone about it, in that if installed on an Iphone, it needs an Android phone to wake it up, it also drains the battery. It is useless, but then most of us knew it would be because anything technology wise the UK government have their hands in mucks up. The other problem is the people who have their hands in this app and that will put some public off.
    It will not be going on my phone, fend or please.
  • People also have a higher chance of killing someone every year when the flu comes around for those with compromised immune systems but we don't shut down the entire US every year around flu season. This is nothing more than a scare tactic for a virus with a north of 98% survival rate. Take off the tinfoil hat. 
  • This is what some people forget, Flu can be awful and as you said can die, I had flu once, and I never want it again.
    I am not saying this Covid is not bad, it seems to jump from person to person unlike any other virus, but i do wonder if the numbers of the people that have died are correct. It seems to be easy just to put covid on the death certificate
  • And this is just one of the main reasons this will never work in the US. Everyone wants to have their hand in the pot and always has these p*** poor implementations. 
  • People wanting their hands in the pot seems to be a worldwide thing, not just in the U.S