Security fail

25 Jun 2020
A study of 17 Android mobile contact tracing apps from 17 different countries found that most government-sponsored contact tracing apps are insecure and risk exposing users’ privacy and data. The researchers used the presence or absence of six basic hardening techniques: name obfuscation (just one
20 May 2020
More than 6 million Australians downloaded the government’s COVIDSafe contact tracing app after being told it was necessary to help health officials track future coronavirus outbreaks. In late May, a software developer found a flaw in the app that would allow someone with a relatively simple
08 Jul 2020
Governments in Norway, Britain, Qatar, and India, among others, have had to either drop or remediate the contact tracing apps they’ve released to help combat the coronavirus due to the rush in which they were released. Many had security flaws that risked exposing user data; others pose privacy and
11 Jun 2020
A detailed analysis of Pakistan’s app, which was developed by the Ministry of IT and Telecom and the National Information Technology Board and which offers dashboards for each province and state, self-assessment tools, and popup hygiene reminders, finds a number of security issues. Among them: the
19 May 2020

Security researchers have found seven problems with the NHSx contact tracing app including: weaknesses in registration that could allow attackers to steal encryption keys; storing unencrypted data on handsets; generating a new random ID code only once a day; and design decisions with respect to Bluetooth connections that could enable tracking. These questions are independent of whether the app is centralised or decentralised.

Writer: BBC; Chris Culnane and Vanessa Teague
Publication: BBC; State of IT
 

02 May 2020
A security lapse exposed one of the core databases of the coronavirus self-test symptom checker app launched by India's largest cellphone network, Jio, shortly before the government lockdown began in late March. The database, which had no password protection and contained millions of logs and
11 May 2020
The Indian state of Madhya Pradesh created a COVID-19 dashboard that displayed the names of at least 5,400 quarantined people, their device IDs and names, their OS version, app version codes, current GPS coordinates, and office GPS coordinates. Shortly after the dashboard's existence was posted on
06 May 2020
Shortly after launch, security researcher Baptiste Robert discovered that India's contact tracing app, Aarogya Setu ("Health Bridge"), allows users to spoof their GPS location, find out how many people reported themselves as infected within any 500-metre radius, and mount a triangulation attack to
16 Apr 2020
Moscow's first attempts to introduce digital methods by which residents could obtain digital passes to move around the city failed as the website collapsed numerous times and the app required them to get a pass for every single move rather than only to drive a car, as the government has stated. City
18 May 2020

New BIAS attack works agaisnt Bluetooth devices and firmware from Apple, Broadcom, Cypress, Intel, Samsung, and others.

Academics have disclosed today a new vulnerability in the Bluetooth wireless protocol, broadly used to interconnect modern devices, such as smartphones, tablets, laptops, and smart IoT devices. The vulnerability, codenamed BIAS (Bluetooth Impersonation AttackS), impacts the classic version of the
25 Sep 2017
Mexico is one of the biggest buyers of next-generation surveillance technology. And now data leaked to Forbes indicates it's taken an unprecedented step in becoming the first-known buyer of surveillance technology that silently spies on calls, text messages and locations of any mobile phone user
29 Mar 2020

Saudi Arabia appears to be exploiting weaknesses in the global mobile telecoms network to track its citizens as they travel around the US, according to a whistleblower who has shown the Guardian millions of alleged secret tracking requests.

Data revealed by the whistleblower, who is seeking to expose vulnerabilities in a global messaging system called SS7, appears to suggest a systematic spying campaign by the kingdom, according to experts.

The data suggests that millions of secret tracking requests emanated from Saudi Arabia over a four-month period beginning in November 2019.

The tracking requests, which sought to establish the US location of Saudi–registered phones, appeared to originate from Saudi’s three biggest mobile phone companies.

The whistleblower said they were unable to find any legitimate reason for the high volume of the requests for location information. “There is no other explanation, no other technical reason to do this. Saudi Arabia is weaponising mobile technologies,” the whistleblower claimed. The data leaked by
23 Jul 2018

Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.

Bluetooth utilizes a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices. The ECDH key pair consists of a private and a public key, and the public keys are exchanged to produce a shared pairing key. The devices must
13 Sep 2017

Questions are being raised again about the security of Bluetooth after researchers uncovered another flaw that could potentially compromise billions of devices.

Armis published details of the Bluetooth vulnerability it is calling ‘Blueborne’. The attack disguises itself as a Bluetooth device and exploits a weaknesses in the protocol to deploy malicious code.

“The BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active,” warned the researchers. “Unlike the common misconception, Bluetooth enabled devices are constantly
18 Nov 2019

An engineering and computer science professor and his team from The Ohio State University discovered a design flaw in low-powered Bluetooth devices that leaves them susceptible to hacking.

An engineering and computer science professor and his team from The Ohio State University discovered a design flaw in low-powered Bluetooth devices that leaves them susceptible to hacking. Zhiqiang Lin, associate professor of computer science and engineering at the university, found the commonly
06 Feb 2020

On November 3rd, 2019, [...] a critical vulnerability affecting the Android Bluetooth subsystem [was reported]. This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020 .

On November 3rd, 2019, [...] a critical vulnerability affecting the Android Bluetooth subsystem [was reported]. This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020. The security impact is as follows: On Android 8.0 to 9.0, a remote