Bluetooth communications can be hacked
As tech giants like Apple and Google plan COVID-19 contact tracing app using the Bluetooth technology, security researchers have questioned the move, saying tracing apps that allow attackers to access a users Bluetooth also allows them to fully read all Bluetooth communications. The Apple-Google contact tracing system uses Bluetooth to identify and list phones users in your circle and if the owner of one of those phones gets infected with COVID-19, you will receive an alert.
In Singapore, the government has urged people to download and use the Trace Together app - a Bluetooth-enabled contact tracing application developed by the Government Technology Agency and mentioned that other apps are also being developed.
According to Niels Schweisshelm, Technical Programme Manager, HackerOne which is San Francisco-based bug bounty platform, the entire attack surface of these contact tracing applications has to be properly investigated.
"The potential privacy concerns surrounding these contact tracing solutions should remind governments developing them that the security community will scrutinise these apps more than any app in recent years," Schweisshelm told IANS.
Android recently released a patch for a critical vulnerability related to the implementation of the BT protocol. This vulnerability allowed an attacker to remotely take over specific Android devices without any required user interaction from the victim. This vulnerability was responsibly disclosed to the vendors and, therefore, not exploited by malicious threat actors.
"This does, however, demonstrate that the protocol and its implementation used by these contact tracing apps up until recently suffered from a critical vulnerability," informed Schweisshelm.
Joshua Berry, Associate Principal Security Consultant at Synopsys Software Integrity Group, said that contact tracing applications use Bluetooth Low Energy (BLE) advertisements to send and collect messages to identify contacts made with other users. In general, the reception of messages can present an opportunity for an attacker to send malformed data that could be mishandled by devices and applications.
"This is one way that a device could be compromised. However, in the case of a contact tracking app, the message content sent to devices over BLE contains data that is intended to be passively collected and stored by the mobile application," Berry said.
A mobile application that only performs this basic functionality would not alone present sufficient functionality for an attacker to be able to exploit to gain control over a mobile device.
"An attacker could attempt to overload a user's device with BLE messages that appear to the mobile device as sufficiently valid to store which could cause the application to not function as desired or to later receive false-positive contact notifications," he explained.
Even if a contact tracing application does not collect and share GPS location data, this data could be shared with other people as part of the contact tracing process. According to Samantha Isabelle Beaumont, Senior Security Consultant, Synopsys Software Integrity Group, users can protect themselves by limiting the number of applications they download.
"They can limit the number of Bluetooth items they pair, the number of Bluetooth items they keep as whitelisted, known devices, and the amount of information they are transferring over mechanisms such as Bluetooth," said Beaumont.
On its contact tracing app, according to Apple, "Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders. We will openly publish information about our work for others to analyze".
