Risks and problems of an app to contain the contagion from COVID-19 - Interview with Stefano Zanero
April 17th, 2020
Abstract
Stefano Zanero, associate professor in Computer Security, interviewed on Wired about the introduction of an app to contain Covid-19 infections, enters the discussion on tracking systems and on the fundamental assessment of the impact that these technologies have citizens' privacy and at the same time it is necessary to keep in mind the aspect of IT security and the potential risks of incorrect use in addition to the psychological impact.
"To properly assess the risks," explained Zanero "we must first understand and estimate what are the benefits that we expect from these apps." To do this, you must also have a correct estimate of the percentage of people required to ensure that installing the app produces the desired results: in this way you will have an idea of the attack surface. "It is important to decide whether to allow the download from a site or from the stores," explained the professor. It cannot be ruled out that there may be attempts to install unauthorized malicious applications that simulate the functioning of the official ones, all by receiving simple scam sms.
Among the most discussed solutions at the moment, the ability to trace the contact list through the exchange of bluetooth information seems to be the one that most respects citizens' privacy: pseudo-anonymized identifiers would be used that vary over time, there are no central databases reference and, when a person tests positive, voluntarily provides his app with the data to then go back to the contacts he had. With bluetooth on our devices continuously send information to allow identification and therefore the connection between the various devices - in the case of tracking apps, an identification code would be sent generated by each app.
The distribution of an app that uses bluetooth, however, presents an additional problem: the fragmentation of smartphone models that citizens have. And the same implementation of the bluetooth protocol, as mentioned by the Privacy International association, continues to have security problems, with new attacks being discovered every year.
Therefore, there are different attack scenarios to consider but, more than the vulnerabilities of the implementation of the bluetooth protocol, attention should be paid to the opportunities of misuse.
For further information: https://www.wired.it/internet/web/2020/04/09/coronavirus-app-sicurezza/
"To properly assess the risks," explained Zanero "we must first understand and estimate what are the benefits that we expect from these apps." To do this, you must also have a correct estimate of the percentage of people required to ensure that installing the app produces the desired results: in this way you will have an idea of the attack surface. "It is important to decide whether to allow the download from a site or from the stores," explained the professor. It cannot be ruled out that there may be attempts to install unauthorized malicious applications that simulate the functioning of the official ones, all by receiving simple scam sms.
Among the most discussed solutions at the moment, the ability to trace the contact list through the exchange of bluetooth information seems to be the one that most respects citizens' privacy: pseudo-anonymized identifiers would be used that vary over time, there are no central databases reference and, when a person tests positive, voluntarily provides his app with the data to then go back to the contacts he had. With bluetooth on our devices continuously send information to allow identification and therefore the connection between the various devices - in the case of tracking apps, an identification code would be sent generated by each app.
The distribution of an app that uses bluetooth, however, presents an additional problem: the fragmentation of smartphone models that citizens have. And the same implementation of the bluetooth protocol, as mentioned by the Privacy International association, continues to have security problems, with new attacks being discovered every year.
Therefore, there are different attack scenarios to consider but, more than the vulnerabilities of the implementation of the bluetooth protocol, attention should be paid to the opportunities of misuse.
For further information: https://www.wired.it/internet/web/2020/04/09/coronavirus-app-sicurezza/