Securing the NHS C19 Contact Tracing App

The combined NHS Digital Taskforce, NHSX, recently beta tested the new UK Covid-19 contact tracing app on the Isle of Wight, and have released code to the cyber security community to review.

The app logs interactions with other bluetooth-enabled smartphones each day, and allows the NHS to notify users who have been in contact with self-reporting Covid-19 cases that they should re-enter isolation as a precaution.

A recent blog post by the UK National Cyber Security Centre identified a number of areas for improvement, with the contact tracing app itself expected to be officially released in June 2020.

 

The Pairing Problem

NHS servers ping the app every 8 seconds to confirm active connections, and the app itself records received signal strength indicators (RSSI) via Bluetooth to gauge where users have been in contact with each other. Users then upload their records if they experience symptoms.

Any attacker with access to this upload traffic, (which does not include the user ID but is unencrypted) could begin comparing submissions via start/end times and signal strength readings, and would theoretically be able to pair these users together.

This problem of uniquely identifiable pairs potentially compromises the identity of the individuals using the app, as well as their location history relative to each other.

The NCSC have confirmed that in the release version, even ‘anonymised’ RSSI data will itself be encrypted, to stop any third-parties attempting to ‘re-identify’ either or both of the users.

 

Intercepting the Public Key

In beta testing, the Authority’s Public Key was not transferred to the user’s phone via TLS encryption (like a secured web-page) raising the possibility that although the app could be downloaded successfully, this important piece of information used for submitting data could be compromised.

This would be akin to a kind of ‘man-in-the-middle’ attack, where a user’s encrypted uploads could be (even if not unencrypted) sabotaged or withheld during transmission back to NHS systems.

Security researchers have suggested that since this key is not secret, it should be wrapped into the installation of the app itself.

The NCSC have since confirmed that intermediate certificate pinning has been used to reduce the risk of this happening, and that this limitation will be fixed once the Isle of Wight trial ends.

 

Bluetooth Broadcast Values

The app operates via broadcast values with change every 24 hours to prevent a device being tracked by Bluetooth over longer periods of time. This is significantly longer than the industry standard 15 minutes.

However, more controversially, a predictable ‘KeepAlive’ counter is used to connect old and new broadcast values, raising the potential for an attacker to re-identify the user beyond the 24-hour limit.

The NCSC defends the longer-term tracing as necessary to establish social interactions more accurately, but has resolved to randomise the counter to stop broadcast values being easily matched or the user re-identified endlessly.

 

Whistleblowing

Under beta testing, the app’s original policy documentation contained the line: “You may not publicly disclose any details of the vulnerability [that you’re reporting] without consent from NHSX.”

This would have run counter to the NCSC’s own vulnerability disclosure policy, which suggests that members of the technology community should be encouraged to highlight system weaknesses (particularly during public consultation beta-tests) for correction.

This line is to be removed from the public release version.

 

For cybersecurity support & IT expertise, please contact our team today.