COVID-19 Contact Tracing Apps Attracting Hackers
As contact tracing ramps up for exposure to COVID-19, so too are concerns about data privacy and whether phony tracing apps will expand opportunities for attackers preying on citizens who voluntarily use tracing apps to help fight the spread of the novel coronavirus.
While data privacy debates continue across Europe and the U.S. about how best to implement contact tracing frameworks, especially how and where health data should be stored, early implementations are drawing scrutiny and skepticism. According to one cybersecurity survey released this week, U.K. citizens doubt the government can protect personal data collected by a National Health Service COVID-19 tracing app.
A study commissioned by cybersecurity vendor Anomali found that 43 percent of respondents are concerned the U.K. tracing app will expand attack surfaces for sending phishing emails and SMS, or “smishing” messages. Just over half of those surveyed said they would be able to distinguish a legitimate message from a phishing or smishing message.
A bit over one-third of respondents expressed concerns about government misuse of contact tracing apps to collect personal data or track users’ whereabouts.
The U.K. government began initial testing of the NHSX tracing app earlier this month on the Isle of Wight in hopes of launching a national effort. Contact tracing is widely used to slow the spread of infectious diseases, and the U.K. app is intended to automate the process.
The vendor study sought to gauge the vexing trade offs between privacy, security and the “greater good” potential of contact tracing. Contact tracing has been widely used in Asian nations to stem the pandemic, but a consensus among western healthcare experts is emerging that U.S. and European efforts must be voluntary to ensure “buy-in.”
Most experts favor a decentralized approach in which personal data is stored on devices rather than government databases. A French proposal for a centralized database has met with stiff opposition from privacy advocates.
The U.K. framework may be headed down similar path if the National Health Service fails to address data security concerns.
“At this stage, nobody knows where to get the NHSX app from, so it can be reasonably expected that consumers will be faced with floods of emails with bogus links to convincing looking domains to download the app from,” said Anomali’s Jamie Stone.
The company notes that domain registries for COVID-19 have skyrocketed since the pandemic was declared. “We’re already seeing thousands of rogue and spoof COVID-19 domains being registered and used in attacks,” Stone added.
Hence, “people using COVID tracking apps need to be extremely vigilant and aware, ensuring that they’ve installed official government apps and that they are interacting with authentic messages from the agencies.”
The security study highlights the difficult conflicts faced by public health agencies as they seek to enlist widely available technologies to automate collection of contact tracing data. Experts stress that the pandemic requires a “social contract” obligating the infected or exposed to share private data.
“We have a social obligation to create a set of rules” for handling private data collected through techniques like contact tracing, said C. Jason Wang, director of the Center for Policy, Outcomes and Prevention. “We’re talking about trade offs” in the midst of a pandemic.
The Anomali study results are based on a survey of 1,000 U.K. citizens between May 7-11.
