Student spots Covid app security failure

By TPN/Lusa, in COVID-19, Tech, Business · 14-05-2021 01:00:00 · 0 Comments

Henrique Faria, a student at the Polytechnic Institute of Viana do Castelo (IPVC), has identified a flaw in the ‘Stayaway Covid’ app that calls into question its effectiveness.

In a note published on its official website, the IPVC explains that the ‘bug’ was detected during an investigation carried out by Henrique Faria, within the scope of his master’s thesis on Cybersecurity.

“In practice, the detected vulnerability, now identified as ‘advertising overflow’, allows an attacker to interrupt the GAEN (Google / Apple Exposure Notification) Bluetooth transmission with a malicious application installed on the same device.”

This attack, explains those responsible for the investigation, “compromises the tracking behaviour expected in this ‘app’, not allowing the transmission of data”.

“In a real scenario, this attack can, depending on how widespread it is between devices, effectively stop or dramatically reduce GAEN tracking and efficiency because none of this data will be transmitted,” says the IPVC.

In other words, the note adds, “any user confirmed to be infected and who sends their data so that other users can check whether they have been exposed, will not trigger any exposure warning. The implementation of this attack in an SDK that is used by many applications and can compromise the effectiveness of the contact tracking system in several countries”, they state.

The failure “was reported and later recognised by Google, and deserved the placement of the student and the two faculty advisors - Pedro Pinto and Sara Paiva, in the Honorable Mentions Framework” of the United States multinational online and software services company of America.

Applications such as ‘Stayaway Covid’ “use GAEN to exchange anonymous identifiers via Bluetooth, which will later be used to check for the possibility of infection. If this happens, the user receives a notification on his device to inform that he has been exposed to someone infected”.

Launched in September 2020, the mobile application allows to quickly and anonymously track, through physical proximity between ‘smartphones’, the contagion networks by covid-19, informing users that they have been, in the last 14 days, in the same space as someone infected with the new coronavirus.

Related articles


Be the first to comment on this article
Interactive Topics, send us your comments/opinion on this article.

Please note that The Portugal News may use selected comments in the printed edition of the newspaper.