Securing the NHS C19 Contact Tracing App

The combined NHS Digital Taskforce, NHSX, recently beta tested the new UK Covid-19 contact tracing app on the Isle of Wight, and have released code to the cyber security community to review.

The app logs interactions with other bluetooth-enabled smartphones each day, and allows the NHS to notify users who have been in contact with self-reporting Covid-19 cases that they should re-enter isolation as a precaution.

A recent blog post by the UK National Cyber Security Centre identified a number of areas for improvement, with the contact tracing app itself expected to be officially released in June 2020.

 

The Pairing Problem

NHS servers ping the app every 8 seconds to confirm active connections, and the app itself records received signal strength indicators (RSSI) via Bluetooth to gauge where users have been in contact with each other. Users then upload their records if they experience symptoms.

Any attacker with access to this upload traffic, (which does not include the user ID but is unencrypted) could begin comparing submissions via start/end times and signal strength readings, and would theoretically be able to pair these users together.

This problem of uniquely identifiable pairs potentially compromises the identity of the individuals using the app, as well as their location history relative to each other.

The NCSC have confirmed that in the release version, even ‘anonymised’ RSSI data will itself be encrypted, to stop any third-parties attempting to ‘re-identify’ either or both of the users.

 

Intercepting the Public Key

In beta testing, the Authority’s Public Key was not transferred to the user’s phone via TLS encryption (like a secured web-page) raising the possibility that although the app could be downloaded successfully, this important piece of information used for submitting data could be compromised.

This would be akin to a kind of ‘man-in-the-middle’ attack, where a user’s encrypted uploads could be (even if not unencrypted) sabotaged or withheld during transmission back to NHS systems.

Security researchers have suggested that since this key is not secret, it should be wrapped into the installation of the app itself.

The NCSC have since confirmed that intermediate certificate pinning has been used to reduce the risk of this happening, and that this limitation will be fixed once the Isle of Wight trial ends.

 

Bluetooth Broadcast Values

The app operates via broadcast values with change every 24 hours to prevent a device being tracked by Bluetooth over longer periods of time. This is significantly longer than the industry standard 15 minutes.

However, more controversially, a predictable ‘KeepAlive’ counter is used to connect old and new broadcast values, raising the potential for an attacker to re-identify the user beyond the 24-hour limit.

The NCSC defends the longer-term tracing as necessary to establish social interactions more accurately, but has resolved to randomise the counter to stop broadcast values being easily matched or the user re-identified endlessly.

 

Whistleblowing

Under beta testing, the app’s original policy documentation contained the line: “You may not publicly disclose any details of the vulnerability [that you’re reporting] without consent from NHSX.”

This would have run counter to the NCSC’s own vulnerability disclosure policy, which suggests that members of the technology community should be encouraged to highlight system weaknesses (particularly during public consultation beta-tests) for correction.

This line is to be removed from the public release version.

 

For cybersecurity support & IT expertise, please contact our team today.


Whatsapp, Messenger and Instagram to Merge Messaging

Facebook has announced plans to merge WhatsApp, Messenger and Instagram’s messaging capabilities.

The social media technology giant plans for interoperable communication between each platform, although the development is stated to be the start of a “long process” and the apps will remain independent.

The consolidation may be good news for consumer-facing businesses, as dramatically more of the world’s smartphone chat users are centralised under a common standard for instant messaging.

WhatsApp released a Business version in 2018, suggesting that the chat software provider believes the public will increasingly seek to engage with businesses directly via such chat apps in preference to traditional methods such as email or phone call.

Whatsapp (over 1.5 billion active users globally), Facebook Messenger (1.3 billion) and Instagram (1 billion) will easily represent the largest collective chat application user base in the world, and the most popular across Europe, Africa, North America and South America.

The coagulated mass of (WhatsMessengerGram?) will also allow Facebook to better compete with Google’s unified Messenger App, and Apple’s iMessage platforms, as well as further challenge regionally strong chat applications with tertiary functions – such as payment transferring WeChat, preeminent among Chinese smartphone users.

Facebook’s project is set to be completed later during 2019.

For IT and communications expertise, contact Lineal today.


Are Microsoft Teams and Skype for Business about to merge?

Are Microsoft Teams and Skype for Business about to merge?

Teams and Skype for Business – Microsoft’s two key communication applications may be about to merge, following a series of leaked hints from the Office 365 message centre.

Microsoft Teams – Redmond’s answer to easy-use messaging and group sharing apps for business (think Slack, or Basecamp) that have seen massive growth in popularity, already looks visibly similar to the Skype for Business client on Mac, and it’s easy to imagine the two becoming a single, powerful unified communications product.

teams

Quite whether Skype for Business or Teams would be cut is an interesting dilemma. Despite a slow start, Skype for Business has proved very successful in the telecoms world – expanding to cover video conferencing, Outlook calendar integration and other established business functions, whilst Teams is still in its early stages.

Microsoft Teams though is clearly closer in concept and execution to the ‘appy’, casual platforms that, quite frankly, Microsoft wishes it was as cool as. This is also where the unified communications industry is heading generally: mobile friendly, cross channel communication apps with unimaginable technical wizardry happening unseen in the cloud.

Believe it or not, Slack has been around since 2013. Basecamp even longer. ShoreTel recently announced the new ShoreTel app, replacing their old mobility client with a mobile friendly, cross-platform, cloud-based, messaging and VOIP collaboration platform. Microsoft (traditionally very slow to any new party) must surely arrive eventually.

This is in part because the generation that have grown up with WhatsApp and Facebook Messenger simply don’t see messaging and audio as separate realms, and are noticeably more open to the idea of a business application with something of the ‘look and feel’ of social media.

Merging the two makes excellent commercial sense for the unstoppable business behemoth that is Microsoft, and would park the tanks on several lawns at once.

 

Contact the IT and communications specialists – speak to Lineal today: 01271 375999


How to Fix emails stuck in iPhone Outbox

emails stuck
If you’ve received an “Unsent Message” status in the iOS mail app on your iPhone or iPad, it could be because you have emails stuck in your outbox, with mail refusing to send correctly.

As always, it’s worth firstly re-booting your device (something most of us won’t normally do more than once or twice a week) to check whether the problem persists. This will prompt iOS both to refresh the mail app, and install any necessary updates from Apple.

You attempt to can send the email again by going to the outbox, selecting the message with the red [!] warning icon, and touch the send command to attempt to re-send the message. If your connection dropped whilst sending, this can be used to prompt a successful second attempt when the connection is restored.

If your outgoing email still remains stubbornly unsent, it may be best to delete the un-sent email and re-draft (some artful copy-pasting can alleviate this frustration considerably) by selecting the failed email in the outbox, choosing ‘edit’ and choosing ‘trash.’

Should your device remain uncooperative, putting it into ‘Airplane Mode’ should turn off wireless connection searching – which can help Mail stop searching for a way to send the email, and give you the chance to ‘trash’ the offending draft.

For Apple hardware expertise, support and supplies, contact Lineal today.


WhatsApp Encryption Launches

 

Popular messaging app WhatsApp have launched end-to-end WhatsApp encryption for over one billion users.

The new security capabilities introduced by the Facebook owned company ensures that every message remains encrypted during transmission, preventing even WhatsApp from reading user data.

With encryption and technological privacy issues regularly appearing in recent news headlines, the WhatsApp encryption upgrade comes at just the right moment for the security concerned, after more than two years of delays in development across multiple platforms.

Much like during Apple’s recent legal dispute with the FBI, the move would also prevent the release of confidential user data following a court order. According to reports from the New York Times, the technology provider have been reported to already be in a longstanding dispute with the US Department of Justice over user data.

WhatsApp are making it clear they support absolute user privacy, with “not even WhatsApp” able to read the encrypted data, and users able to verify their connections are secure via a 60 digit or QR code swap.

From today, the WhatsApp conversation screen will now display an official notification to all users – confirming that their messages are encrypted successfully.

 

For hardware and software security advice – contact Lineal today.


Smartphone banking app malware hacks SMS codes

Smartphone banking app malware hacks SMS codes

A dangerous new banking app malware has successfully bypassed smartphone security used by some of the world’s biggest banks.

Customers of Australia’s four biggest banks, and numerous New Zealand Banks, have all been declared at risk from the malware which activates when using a banking app, copying details from login screens.

Most worryingly, the malware can also divert two-factor authentication codes sent to a given smartphone by SMS – and pass the code to criminals, breaking a tried and trusted system used by many online financial apps around the world.

ESET security systems (commonly deployed by commercial clients for server and endpoint security) recently detected the extremely sophisticated malware, which downloads via fake Adobe Flash windows on video streaming websites.

On Android, personal users can uninstall the malware manually via Settings > Apps > Flayer > Uninstall, and are advised to only accept approved downloads from trusted public sources such as Google Play.

Commercial clients should take similar precautions against banking app malware and similar, protecting company devices behind specialist security systems.

 

For IT security advice and support, contact Lineal today by clicking here.


£2.50 Freedom 251 Smartphone Launches

 

Smartphone manufacturer Ringing Bells has launched a £2.50 Smartphone, the Freedom 251, aimed at bringing mobile access to rural parts of India.

The Freedom 251, which costs only 251 rupees, runs on Android and features a 1.3Ghz quad-core processor, 8GB of memory, with front and rear facing cameras.

As the second largest mobile phone market in the world, India is already estimated to have around 236 million mobile users – but this is expected to grow to a staggering 317 million during 2017.

Part of that growth includes tailoring the system to the needs of users in rural India – the Freedom 251 will include software aimed at farmers and fishermen, elderly users needing medical assistance, and even includes an app for ‘women safety’.

Wider connectivity is not only expected to bring economic benefits for Indian consumers, but also to third parties – with the £2.50 price reflecting an already heavy subsidy from interested companies looking to be the first to reach India’s newest smartphone customer base

A smartphone for less than the cost of a cup of tea? Welcome to the future.

 

For business IT Support, contact Lineal IT today: 01271 375999 or email: [email protected]


Teachers Rejoice! Apple Education Package Launched

 

Apple have finally announced that iOS 9.3 will included special support for schools and colleges.

Using iOS 9.3, each student can be given a unique Apple ID that is compatible with any iPad in a classroom, allowing for the use of any device from a pool of shared school iPads. The Apple education package ID’s themselves are maintained through Apple School Manager, a web based control panel giving admins control over the system.

Apple’s new ‘Classroom’ App allows teachers to launch any app on every shared device in a room at once, and guide students through educational materials. A ‘Screen View’ function keeps an eye on what’s on every student’s screen, allowing teachers to prevent distractions from learning.

For students assigned the same tablet each day, a caching system holds work and resources, and gives a photo login procedure so that each child can find their usual device easily.

More than 70% of UK primary and secondary schools now use tablet computers as part of their ICT tools – including ‘Bring Your Own Device’ (BYOD) schemes. So far however, schools have had to find a good reason to justify the extra expense for Apple’s high-quality iPad devices over cheaper rivals.

By offering cleverly designed software support for the classroom environment, Apple may have just provided that justification.

 

Learn more about IT support for the education sector – contact Lineal today: 01271 375999.


Why your AirDrop isn’t working (and how to fix it)

Airdrop

AirDrop must be prompted to recognise older Apple devices

Apple’s AirDrop tool has been a much praised addition to Apple’s software lineup – allowing Mac users to wirelessly transfer files from one Apple device to another in close proximity.

However users often report that their new Mac is unable to ‘see’ adjacent Mac devices, preventing them from using AirDrop.

The solution is surprisingly simple: look to the bottom of the AirDrop window on the newest manufactured device, where a small link reads “Don’t see who you’re looking for?” clicking this opens a new option “Search for an older Mac”, which widens the search to older devices running OS X or iOS.

There’s been no explanation from Apple as to why Airdrop is set up in this way, but enabling ‘Search for an older Mac’ allows a 2015 Macbook to find a previously invisible 2011 Macbook with ease, allowing you to begin transferring files.

Happy AirDropping!

 

Lineal have over 20 years of Apple expertise: contact us today via 01271 375999 or email [email protected]


iPhone 6S, 6S Plus and iPad Pro Release: Apple stays ahead of the pack

iPhone6s-RoseGold-BackFront-HeroFish-PR-PRINT

Screen Shot 2015-09-10 at 14.07.36

This week saw the hotly anticipated release of the iPhone 6S and 6S Plus, Apple Inc’s flagship smartphone announced in their annual product release that has become as inevitable as the tides.

With the iPhone now accounting for something close to 70% of Apple’s revenue, the 6S and 6S Plus were the main attraction. The new design fixes old durability problems with a stronger case and tougher screen, but added features include the obligatory faster processor, a new rose gold colour choice, and an upgraded 12MP camera – all aimed at keeping ahead of the competition, at least when it comes to performance.

‘3D Touch’ is Apple’s newest technical innovation, making the screen of the company’s newest devices pressure sensitive. This gives users the illusion of screen depth by accurately judging the strength of the screen press, allowing for new capabilities like a ‘peek’ at an app with a gentle touch, and giving Apple another technical edge with which to play the long game.

Not that Apple’s thinking hasn’t been questioned: commercial clients may find the power to shoot high resolution 4k video enticing, but will likely be sceptical at how practical it is to save such high-quality video files on a smartphone.

Screen Shot 2015-09-10 at 14.08.06

iPadPro_Pencil_Lifestyle2-PRINTIndeed, for a company whose founder’s dislike of the stylus is well documented, releasing a large tablet with a stylus appears an open invitation for criticism. Nevertheless this is exactly what Apple have now done, introducing the new iPad Pro, a 12.9 inch tablet, ostensibly optimised for creative use by designers, illustrators and other editors needing a larger screen.

The demonstration of the iPad Pro included the new $99 (£65) stylus, the Apple ‘Pencil’ effortlessly photoshopping a woman’s smile on screen, an illustrative but perhaps ill-chosen example that somehow made it through Apple’s press office without ringing media alarm bells. Appropriate use aside, the technology is nevertheless impressive: the Apple pencil combined with 3D Touch allows pressure sensitive brush strokes on screen drawn with great precision.

This year’s releases represent Apple maturing a little, yet still relying on groundbreaking technical features to stay ahead of the curve.  Apple Inc. shares actually slid two percent to close lower on Wednesday, with investors holding their breath to see whether the new products were enough to really ‘impress’ customers. The tech giant has arguably sacrificed some of the flamboyance of previous years’ releases to concentrate on the innovation needed to outpace rivals, and open more important doors for its own future, including in the form of its renewed invasion into our living rooms with the new Apple TV and tvOS complete with the long heralded AppStore.

Lineal has over 20 years of business experience with Apple Mac, including connecting your mobile devices for working on the move – why not get in touch with us today? http://www.lineal.co.uk/contact/