As tech giants like Apple and Google plan COVID-19 contact tracing app using the Bluetooth technology, security researchers have questioned the move, saying tracing apps that allow attackers to access a users Bluetooth also allows them to fully read all Bluetooth communications.
The Apple-Google contact tracing system uses Bluetooth to identify and list phones users in your circle and if owner of one of those phones gets infected with COVID-19, you will receive an alert.
In Singapore, the government has urged people to download and use the Trace Together app – a Bluetooth-enabled contact tracing application developed by the Government Technology Agency, and mentioned that other apps are also being developed.
According to Niels Schweisshelm, Technical Programme Manager, HackerOne which is San Francisco-based bug bounty platform, the entire attack surface of these contact tracing applications has to be properly investigated.
“The potential privacy concerns surrounding these contact tracing solutions should remind governments developing them that the security community will scrutinise these apps more than any app in recent years,” Schweisshelm told IANS.
Android recently released a patch for a critical vulnerability related to the implementation of the BT protocol.
This vulnerability allowed an attacker to remotely take over specific Android devices without any required user interaction from the victim. This vulnerability was responsibly disclosed to the vendors and, therefore, not exploited by malicious threat actors.
“This does, however, demonstrate that the protocol and its implementation used by these contact tracing apps up until recently suffered from a critical vulnerability,” informed Schweisshelm.
Joshua Berry, Associate Principal Security Consultant at Synopsys Software Integrity Group, said that contact tracing applications use Bluetooth Low Energy (BLE) advertisements to send and collect messages to identify contacts made with other users.