Just because some countries have started lifting their lockdown measures doesn’t mean the COVID-19 crisis is over. There are still around 3.7 million active cases, and over reported 400,000 deaths. And the numbers keep going up.
In an attempt to prevent more cases, governments around the world have started rolling out contact tracing apps. Most countries hope that will buy them enough time until a vaccine comes out.
Right now, these apps are available almost everywhere. In fact, here’s an overview of the worldwide state of contact tracing apps. While they might be useful, you also have to wonder – just how safe are they?
Well, we have bad news – not all of them take your privacy seriously. And hackers can actually abuse them in many ways. We’re going to show you how in this quick article, and we’ll also try to offer you some solutions.
3 Ways Contact Tracing Apps Can Be Exploited
We researched this topic in-depth and found three ways cybercriminals can abuse contact tracing apps – either for profit or just to cause mayhem.
1. Phishing Attacks
Even though it’s been a few months, people are still very scared of the virus. And cybercriminals are taking advantage of their fear.
They’ve already been doing that through coronavirus-themed phishing emails. And now, they’re using contract tracing apps too.
Take the UK, for example, where hackers successfully launched phishing attacks with the NHS’ app. And that happened while the app was only in a trial phase in the Isle of Wight, not the rest of the country. So they were very quick to act.
It seems phishers were able to send bogus text messages from an official source associated with the app, alerting them they came into contact with someone who tested positive for COVID-19. People who got the message saw it as normal app behavior.
The phishing message redirected victims to a fake website where they were asked to type in their personal details. We couldn’t find out if anyone fell for that scam, but if they did, hackers would have been able to easily empty their bank accounts or commit identity theft and fraud.
2. Malicious Use
Contact tracing apps could help a lot, but that’s only if everybody does their part. Unfortunately, these apps rely on all people telling the truth about coming into contact with someone infected with the virus, or testing positive for COVID-19.
But what happens if someone lies?
It’s a pretty grim outlook, to be honest. For example, a hacker or your average Internet troll could lie that they came into contact with someone who was infected at a specific place – like a coffee shop.
If they do that, they could seriously damage the foot traffic the shop sees. People will be alerted about the “infection,” and might start avoiding the area, and telling their friends and family to do that too.
Then, the hacker/troll could contact the business owner, and threaten them by saying they would continue doing that until the owner sends a few hundred dollars (or more) to a BTC address.
And that’s just one example off the top of our heads. Malicious actors could do all sorts of things – lower voting participation in a specific district, or even get the whole city locked down by making false reports in all neighborhoods.
3. Bluetooth Vulnerabilities
Contact tracing apps either rely on location data or Bluetooth to work. GPS data is obviously bad for your privacy. But unfortunately, Bluetooth has its fair share of problems too:
- Bluetooth Classic has a serious vulnerability that would allow a cybercriminal to perform an impersonation attack. Basically, they could pose as a legitimate device you previously interacted with. If they perform a successful authentication, they could get direct access to your phone.
- Bluetooth BR/EDR connections had a huge issue back in 2019 that would have allowed cybercriminals to perform a downgrade attack. Essentially, they’d be able to weaken Bluetooth encryption and crack it with a brute-force attack. If your device didn’t receive a patch for this, hackers could abuse this vulnerability to monitor the data you share with other paired devices.
- Even Google and Apple’s new “decentralized” Bluetooth API isn’t foolproof. Here’s just one example – health info is revealed in correlation to a unique or rotating identifier. A very skilled hacker could set up a stationary camera connected to a Bluetooth device in a public space and correlate infected people with pictures of them (taken with the camera).
So What Can You Do?
Things seem pretty bad, we won’t lie. Right now, here’s what we recommend:
Only Use Legit Contact Tracing Apps
Make sure the app goes to great lengths to protect your privacy and data.
Are you the only one who can access your data, or do third parties have access to it too? Is the data stored on your device or on centralized servers? Does it have a good privacy framework in place?
We recommend checking the worldwide state of contact tracing apps at ProPrivacy. Check if the app in your area protects your privacy or puts it at risk.
If it has a bad rating, it might be safe to avoid it. Or at least wait until it’s improved.
Install Antivirus Protection on All Your Devices
This might not protect you against Bluetooth vulnerabilities, but it’s a good defense against phishing attacks. If you panic and accidentally click on a malicious link, it will stop your device from getting infected. The software might also block your connection to the fake site.
What Do You Think about Contact Tracing Apps?
Are they an immense help in fighting the COVID-19 pandemic, or are they a danger to everyone’s privacy?
And if you use a contact tracing app, what measures do you take to keep your data safe?
Please share your thoughts and ideas with the rest of us in the comments or on social media.