Security Market Segment LS
Wednesday, 15 July 2020 13:56

How Hackers Can Abuse Contact Tracing Apps

By ProPrivacy

VENDOR PROMOTION Contact tracing apps could do a lot of good, but not if hackers get in the way. Here’s a quick list of three ways cybercriminals can abuse these apps.

Just because some countries have started lifting their lockdown measures doesn’t mean the COVID-19 crisis is over. There are still around 3.7 million active cases, and over reported 400,000 deaths. And the numbers keep going up.

In an attempt to prevent more cases, governments around the world have started rolling out contact tracing apps. Most countries hope that will buy them enough time until a vaccine comes out.

Right now, these apps are available almost everywhere. In fact, here’s an overview of the worldwide state of contact tracing apps. While they might be useful, you also have to wonder – just how safe are they?

Well, we have bad news – not all of them take your privacy seriously. And hackers can actually abuse them in many ways. We’re going to show you how in this quick article, and we’ll also try to offer you some solutions.

3 Ways Contact Tracing Apps Can Be Exploited

We researched this topic in-depth and found three ways cybercriminals can abuse contact tracing apps – either for profit or just to cause mayhem.

1. Phishing Attacks

Even though it’s been a few months, people are still very scared of the virus. And cybercriminals are taking advantage of their fear.

They’ve already been doing that through coronavirus-themed phishing emails. And now, they’re using contract tracing apps too.

Take the UK, for example, where hackers successfully launched phishing attacks with the NHS’ app. And that happened while the app was only in a trial phase in the Isle of Wight, not the rest of the country. So they were very quick to act.

It seems phishers were able to send bogus text messages from an official source associated with the app, alerting them they came into contact with someone who tested positive for COVID-19. People who got the message saw it as normal app behavior.

The phishing message redirected victims to a fake website where they were asked to type in their personal details. We couldn’t find out if anyone fell for that scam, but if they did, hackers would have been able to easily empty their bank accounts or commit identity theft and fraud.

2. Malicious Use

Contact tracing apps could help a lot, but that’s only if everybody does their part. Unfortunately, these apps rely on all people telling the truth about coming into contact with someone infected with the virus, or testing positive for COVID-19.

But what happens if someone lies?

It’s a pretty grim outlook, to be honest. For example, a hacker or your average Internet troll could lie that they came into contact with someone who was infected at a specific place – like a coffee shop.

If they do that, they could seriously damage the foot traffic the shop sees. People will be alerted about the “infection,” and might start avoiding the area, and telling their friends and family to do that too.

Then, the hacker/troll could contact the business owner, and threaten them by saying they would continue doing that until the owner sends a few hundred dollars (or more) to a BTC address.

And that’s just one example off the top of our heads. Malicious actors could do all sorts of things – lower voting participation in a specific district, or even get the whole city locked down by making false reports in all neighborhoods.

3. Bluetooth Vulnerabilities

Contact tracing apps either rely on location data or Bluetooth to work. GPS data is obviously bad for your privacy. But unfortunately, Bluetooth has its fair share of problems too:

  • Bluetooth Classic has a serious vulnerability that would allow a cybercriminal to perform an impersonation attack. Basically, they could pose as a legitimate device you previously interacted with. If they perform a successful authentication, they could get direct access to your phone.

  • Bluetooth BR/EDR connections had a huge issue back in 2019 that would have allowed cybercriminals to perform a downgrade attack. Essentially, they’d be able to weaken Bluetooth encryption and crack it with a brute-force attack. If your device didn’t receive a patch for this, hackers could abuse this vulnerability to monitor the data you share with other paired devices.

  • Even Google and Apple’s new “decentralized” Bluetooth API isn’t foolproof. Here’s just one example – health info is revealed in correlation to a unique or rotating identifier. A very skilled hacker could set up a stationary camera connected to a Bluetooth device in a public space and correlate infected people with pictures of them (taken with the camera).

Contact Tracing pic

So What Can You Do?

Things seem pretty bad, we won’t lie. Right now, here’s what we recommend:

Only Use Legit Contact Tracing Apps

Make sure the app goes to great lengths to protect your privacy and data.

Are you the only one who can access your data, or do third parties have access to it too? Is the data stored on your device or on centralized servers? Does it have a good privacy framework in place?

We recommend checking the worldwide state of contact tracing apps at ProPrivacy. Check if the app in your area protects your privacy or puts it at risk.

If it has a bad rating, it might be safe to avoid it. Or at least wait until it’s improved.

Install Antivirus Protection on All Your Devices

This might not protect you against Bluetooth vulnerabilities, but it’s a good defense against phishing attacks. If you panic and accidentally click on a malicious link, it will stop your device from getting infected. The software might also block your connection to the fake site.

If you need recommendations, try Malwarebytes and ESET.

What Do You Think about Contact Tracing Apps?

Are they an immense help in fighting the COVID-19 pandemic, or are they a danger to everyone’s privacy?

And if you use a contact tracing app, what measures do you take to keep your data safe?

Please share your thoughts and ideas with the rest of us in the comments or on social media.

Subscribe to Newsletter here

WEBINAR 12 AUGUST - Why is Cyber Security PR different?

This webinar is an introduction for cyber security companies and communication professionals on the nuances of cyber security public relations in the Asia Pacific.

Join Code Red Security PR Network for a virtual conversation with leading cyber security and ICT journalists, Victor Ng and Stuart Corner, on PR best practices and key success factors for effective communication in the Asian Pacific cyber security market.

You will also hear a success story testimonial from Claroty and what Code Red Security PR has achieved for the brand.

Please register here by 11 August 2020 and a confirmation email, along with instructions on how to join the webinar will be sent to you after registration.

Aug 12, 2020 01:00 PM in Canberra, Melbourne, Sydney. We look forward to seeing you there!



It's all about Webinars.

These days our customers Advertising & Marketing campaigns are mainly focussed on Webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

For covid-19 assistance we have extended terms, a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you. Please click the button below.






Guest Opinion

Guest Interviews

Guest Reviews

Guest Research & Case Studies

Channel News