Well-intentioned contact tracing applications were built to slow the spread of the virus, but have opened up a raft of data privacy and security concerns. Casey Ellis, Founder & CTO at Bugcrowd says when you consider the speed and pressure that these developers are under, it’s a given that mistakes will happen that lead to vulnerabilities. Here, Ellis says multiple organizations need to work together to ground safety and privacy into these apps to neutralize COVID-19 cyber threats and data breaches.
It is no secret that smartphones have become useful in ways we would never have dreamt about 20 years ago, especially as they pertain to our health — from counting our steps to tracking our sleep hours, blood pressure, and more. Therefore, it was hardly surprising when several tech companies, including Google and Apple, announced they would provide technology for these smartphone apps to help conduct contact tracing applications. Â
In March 2020, as state and city governments around the world started to mandate the shelter in place orders to contain the growing spread of coronavirus, new applications for contact tracing began to emerge from several regions: The U.S., U.K., Korea, and Canada, to name a few. Tech giants, Apple and GoogleOpens a new window , announced they were partnering with COVID-19 contact tracing technology providers, “to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design.â€
In the U.S., these apps have only been available for a few months. Still, in the mad dash to get to market and help stem the coronavirus pandemic’s tide, the products have been rife with breaches, vulnerabilities, and privacy issues, which has compromised the efficacy and the spirit of contact tracing for COVID-19. Â
App developers must partner with outside security researchers to ensure their apps are secure before going to market, and of course, even after the apps go live.Â
What is Contact Tracing?
According to the Center for Disease Control (CDC), “Contact tracing is used by health departments to prevent the spread of infectious disease and involves identifying people who have a contagious disease and people whom they came in contact with and working with them to interrupt disease spread, including asking people with COVID-19 to isolate and their contacts to quarantine at home voluntarily.â€
Data Breaches & Privacy Issues Threaten to Derail Contact Tracing Apps
Despite good intentions, security issues and concerns began appearing in these contact tracing apps soon after arriving on the market. This also included a lack of security oversight and testing, which caused some real missteps.Â
For instance, Care19, a smartphone app developed by North Dakota, was caught sending user location to data to Foursquare. It took a few months, but the privacy app developer who discovered the leak announced in early June 2020 the issue had been resolved: “Care19 shared with us on June 3rd, that the new version of their app (3.3) was no longer sharing users’ IDFA to Foursquare.â€
According to a PoliticoOpens a new window  report on a study of 17 government-sponsored contact tracing apps, mobile app security firm Guardsquare found that less than a third had a kind of encryption that protects sensitive information in the source code, and less than half could detect when attackers access restricted data on the phone. In especially chilling testimony, Politico also stated that “The flaws could also have allowed hackers to tamper with data to make it look as if users of the app were either violating quarantine orders or still in quarantine despite being somewhere else.â€
In the Qatar Covid-19 app, researchers found a vulnerability that might have allowed cybercriminals Opens a new window to obtain more than a million people’s national ID numbers and health status. India’s coronavirus cell phone app revealed a flaw in that it allowed cybercriminals to determine who was sick in individual homes – opening up the potential for crime in the “real world.â€
And not to be outdone, researchers uncovered no less than seven security flaws in a pilot app in the U.K.
Learn More: Political Cost of Data Leaks: Data Security in the Crosshairs
How Contact Tracing Should WorkÂ
Kelvin Coleman, executive director of the National Cyber Security AllianceOpens a new window , a public-private partnership that works with the Department of Homeland Security (DHS), reported that contact tracing is an integral part of the fight against the spread of COVID-19. However, the cybersecurity community and government organizations and developers must work together to create a vulnerability disclosure program (VDP).
While artificial intelligence and other security solutions have a role in reducing cyber risk for any app that goes on the market, utilizing the element of human ingenuity, such as career hackers, is another way to add to the security effectiveness of contact tracing applications. These hackers can perform penetration testing that can expose the apps’ vulnerabilities — before they go to market. Â
Why are humans so crucial to the security development lifecycle? Experience allows ethical hackers to recognize vulnerabilities that represent a real risk — without the false positives that typically come with security technologies such as AI-powered solutions.
After all, the best way to beat an attacker is by thinking like one.
Most importantly, because these apps contain voluntary and private patient data, Coleman stated it is essential for developers of these apps to allow users to opt-in or out of the programs before their personal information is shared.
Learn More: In Privacy-First Era, MSSPs Can Push the Data Protection Envelope
Compliance and Data Privacy Laws
The recent issues with contact tracing apps have shined a light on the importance of today’s data privacy laws, such as GDPR and CCPA. These laws offer consumers the right to access any personally identifiable information (PII) a business might have procured. Often these organizations will use consumer PII for marketing and sales purposes. Thanks to GDPR and CCPA, and the like, consumers now have the right to access and restrict their PII use. COVID-19 app developers can ease privacy concerns through transparency about the data they collect by allowing users to opt-out.Â
They can also employ ethical hackers to catch security vulnerabilities before a malicious hacker does – as the best way to defeat a human attacker is simply by thinking like one.Â
Contact tracing has the potential to be a real windfall for health and government officials looking for a way to contain the coronavirus. However, speed is often the enemy of security, and, while there is an urgency for these apps, the push to go public without due diligence has done considerable harm. The upshot is that contact tracing apps do not have to impede citizens’ privacy rights to achieve their objectives – by adding a security and vulnerability testing before they go to market, these apps can become an essential part of the fight against coronavirus.
While simultaneously improving their apps’ security, developers will need to prove that consumers’ privacy is preserved. Implementing a vulnerability disclosure program (VDP) gives developers a robust intake method for security researchers’ findings and makes security fixes based on these findings achieves this.
Let us know if you liked this article or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!