Though the defects have since been fixed, experts say that they could have let attackers retrieve the names and locations of people under quarantine. In addition, they could have also allowed hackers to tamper with the data to make it look like users of the app were violating quarantine orders or still in quarantine despite having gone somewhere else.
In April, authorities in South Korea began requiring all visitors and residents arriving from outside the country to isolate themselves for two weeks. To assist in monitoring compliance, authorities had them install an app whose name in Korean translates to Sel-Quarantine Safety Protection.
Anyone caught violating the quarantines, through the app or otherwise, might be required to wear tracking wristbands or pay steep fines.
By June, the app, which tracks users’ locations to ensure that they remain in quarantine areas, has been download by more than 162,000 people.
The security flaws in the app were discovered by Frederic Rechenstein. The Seoul-based software engineer had just returned from a trip abroad, which resulted in his quarantine. In his boredom, he had decided to take a look at the app’s code to see how it works, leading to his discovery of the security flaws.
According to Rechenstein, the app was assigning users easily guessable ID numbers. This meant that hackers could easily figure out a user’s credentials and use it to access their data.
In addition, he stated that the app’s developers had used an insecure form of encryption to scramble the app’s communications with the central server where data was stored.
Instead of using HTTPS, the security standard used by most other apps, the quarantine app’s encryption key, was directly into its code. This meant that the code never changed depending on the message being sent of the user sending it. Even worse, the key used was far from random: It was just “1234567890123456.”
These security flaws meant that it would be quite easy for hackers to steal a user’s data once they got the key.
In addition, these security flaws would have also allowed hackers to make it look like a user was breaking quarantine rules by making unauthorized trips out of their homes. On the other hand, a hacker under quarantine could also use it to make it look like he was staying at home, even if he was making trips outside.
In response to the discovery of the flaw, South Korean authorities have apologized, admitting that the speedy rollout of the app was the main reason the flaws weren't found before its release.
“We were really in a hurry to make and deploy this app as quickly as possible to help slow down the spread of the virus,” admitted Jung Chan-hyun, an official at the Ministry of the Interior and Safety’s disaster response division, which oversees the app. “We could not afford a time-consuming security check on the app that would delay its deployment.”
The ministry has since fixed the security flaws in the latest version of the app via an update released last week. In addition, officials have also stated that they had not received any reports of personal information being stolen using the app.
South Korea is far from the only country that has turned to smartphone apps to help fight the coronavirus. Other countries have done the same as well.
Just like in South Korea, however, some of these country’s apps have also come under scrutiny following the discovery of security flaws in them.
This spring, a report by The New York Times found that a coronavirus tracking app used in the Indian state of Maharashtra could leak users’ precise location. This prompted the government to resolve the problem.
A similar thing also happened in Qatar, where the country's own mandatory contact tracing app was found to have security flaws that could leak the personal details of Qatari citizens to hackers.
“While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited. This vulnerability was especially worrying given use of the EHTERAZ app was made mandatory last Friday,” said Claudio Guarnieri, Head of Amnesty International’s Security Lab, which found the flaws.
Australia too suffered similar issues with its coronavirus contact tracing app. Not only did vulnerabilities in the app leave users’ data open to being stolen by hackers, but the app itself was also found to be vulnerable to denial-of-service attacks.
The Australian government has since tightened restrictions around the data in the app.
These issues with coronavirus apps highlight the risks of quickly pushing technology in the fight to stop the pandemic. In a rush to get these apps out, certain issues may be getting overlooked, leaving users’ data vulnerable to hacking.
Learn more about how governments around the world are using technology to slow the spread of the coronavirus at Pandemic.news.
Sources include: