Vulnerabilities found in NHS Covid-19 contract-tracing app


Today it has been reported that wide-ranging security flaws have been flagged in the NHS Covid-19 contact-tracing app, after being piloted in the Isle of Wight. The security researchers involved have warned the problems pose risks to users’ privacy and could be abused to prevent contagion alerts being sent.

There has been an increase of concerns from NHS officials, as they are racing to improve the COVID-19 contact-tracing apps privacy safeguards, amid mounting concern from cybersecurity experts, MPs and users in the UK. Although there is a rush to get this app out to consumers, software from ethical hackers and security researchers, and perhaps predictably, security bugs have been found, which is proof that security risks need to be limited to protect the users’ privacy.

Paul Farrington, EMEA CTO at Veracode, told IT Supply Chain why he believes that the government needs to drive through the necessary fixes to ensure trust in the public.

“As we transition in the UK Government’s lockdown exit strategy, the NHS and public health officials are racing to launch the Covid-19 contact-tracing app. The NCSC has been transparent in defining the goals of the app and the security features of the architecture. Inevitably though, there has been a great deal of scrutiny of the software from ethical hackers and security researchers, and perhaps predictably, security bugs have been found.

Researchers point-out some intelligent aspects of the design, and also highlight where security trade-offs have been made to deliver the first version of the app, which still need to be corrected. The NCSC has been collaborative in responding to the researchers. Now, they will need to help drive-through the necessary fixes to ensure that the public has trust in the software.”

“According to Veracode’s State of Software Security report, 52% of healthcare apps have severity 4 or 5 flaws (this is the worst of the industries surveyed in the report – which included infrastructure, retail, financial services, government/education, technology and manufacturing). This was due to the industry having the longest time to fix security bugs – with a median of 131 days going by until the is resolved.

Even when the security bugs are addressed, concerns will remain about the architecture being less conducive to protecting user privacy and the legal limits on agents of the Government misusing the data that is collected. That may prove to cause be a drag on user adoption, which is not in the interests of public health.”