Now it can be told:
South Korea --a world leader in using digital tools against the pandemic-- had major security flaws in its quarantine app that could have allowed hackers to retrieve and tamper with users' private location and health data. http://www.nytimes.com/2020/07/21/technology/korea-coronavirus-app-security.html
South Korea --a world leader in using digital tools against the pandemic-- had major security flaws in its quarantine app that could have allowed hackers to retrieve and tamper with users' private location and health data. http://www.nytimes.com/2020/07/21/technology/korea-coronavirus-app-security.html
The security lapses were discovered in May by @fredrecht, a software engineer in Seoul, who was required to use the quarantine app when he returned from travel abroad. He discovered the app had poor encryption and assigned users easily guessable I.D. codes.
By June, Korea had required more than 162,000 people to use its quarantine app.
@fredrecht reported the security problems to the gov't.
Then he contacted @choesanghum, @zhonggg and me.
@Aaron_Krolik tested the app and confirmed the security lapses.
@fredrecht reported the security problems to the gov't.
Then he contacted @choesanghum, @zhonggg and me.
@Aaron_Krolik tested the app and confirmed the security lapses.
South Korean officials told @choesanghun that they were in such a hurry to release the quarantine app that they prioritized speedy deployment over user safety.
Also, they said they hadn't expected that tens of thousands of foreigners would be required to use the app.
Also, they said they hadn't expected that tens of thousands of foreigners would be required to use the app.
We held the story for more than a month to give the Korean gov't time to address the security lapses.
New versions of the apps were released in the Apple and Google Play stores last week.
New versions of the apps were released in the Apple and Google Play stores last week.
The major security lapses with South Korea's quarantine app come after @botherder @amnesty found serious problems with Qatar's virus surveillance app and an analysis of 17 gov't-sponsored virus-tracing apps by @Guardsquare found that the majority could be easily hacked:
An alternate approach for government virus-tracing apps from Apple and Google also has privacy issues.
It uses Bluetooth signals --not location tracking-- to detect smartphones that come near one another. But, In to use the apps, Android users must first turn on location.
It uses Bluetooth signals --not location tracking-- to detect smartphones that come near one another. But, In to use the apps, Android users must first turn on location.
And once Android users turn on the location setting for virus-tracing apps from Austria, Denmark, Germany, Ireland, Italy, Latvia, and Switzerland, Google may be able to determine and use their precise locations, depending on their phone settings. http://www.nytimes.com/2020/07/20/technology/google-covid-tracker-app.html
But European gov'ts have not told Android users of the virus-tracing apps that, once they turn on location, Google may use Wi-Fi, mobile networks and Bluetooth beacons to determine their precise whereabouts through a setting called location accuracy.
Informed consent?
Informed consent?
The potential for Google to collect location data on people who use virus-tracing apps may violate the privacy promises made by governments like the UK (cc: @EinsteinsAttic )
Angela Merkel has urged Germans to use Germany's new virus app, saying it does not collect location data
Angela Merkel has urged Germans to use Germany's new virus app, saying it does not collect location data