With the world still reeling from the global COVID-19 pandemic, there has been a push to develop smartphone apps that are able to track the spread of the virus. While the development of such apps could immensely help the world slow the spread of COVID-19, it is also opening up smartphones to the risk of hackers.
Researchers working with the Qatar COVID-19 app have discovered a vulnerability that would make it possible for hackers to obtain the ID numbers and health status of more than a million people. Likewise, researchers connected to India’s app have learned of a security gap that let them discern who was sick in individual homes. Security risks have also been found in the U.K.’s app.
Here in the U.S., we’re just beginning to use contact tracing apps and unfortunately, there has already been at least 1 known data leak. In May 2020, an app being used in North Dakota, Care19, was found to be sending the user’s location data to Foursquare, a digital marketing service. Thankfully, this problem has since been corrected.
With these known leaks, it’s no wonder that one of the main debates surrounding the use of contact tracing apps has centered on the data the apps collect, who should have access to it and the risk(s) to said data.
The desire to push contact tracing apps so quickly is the hope that they will be able to achieve flattening the curve of outbreaks in any given area. The concern and fear surrounding the spread of COVID-19 has led to developers lessening stress-testing and security methods; thus, making it easier for hackers to access the data.
Moreover, experts in cybersecurity and researchers feel that the data collected by contact tracing apps is especially attractive to hackers, “hacktivists” and cybercrime gangs.
There are several countries, including France, that have actually done extensive tests to ensure hackers are unable to access their app’s data. However, the U.S. is not among this list. In fact, experts say that Congress hasn’t even been able to agree on which security methods to utilize for contact tracing apps; therefore, the U.S. doesn’t currently have a national tracking app.
Even though there have been issues with agreeing on security methods and a lack of a national contact tracing app, lawmakers have been hard at work trying to push for an app to begin development. There have been 3 bills introduced but, so far, all 3 have been met with partisan division. Particularly there have been concerns over data protection.
As of now, Congress has left it up to individual states to develop their own app(s) for contact tracing. Which means that every state could have its own security problem. Additionally, companies who specialize in locating security bugs (a.k.a. bug bounty operators) don’t currently have any U.S. contracts, which indicates that there isn’t a focus on app security.
Before it’s all said and done, the problems created by COVID-19, like the pandemic itself, are likely to get much worse before they begin to get better.