The Government finally gives the details of the Radar Covid security breach

Technologies

By CAPosts 20 November, 2020 - 05:38am 84 views

A user of Radar Covid in the Community of Madrid last October Ricardo Rubio / Europa Press

The Government has finally published a statement where it gives the details of the security breach in its Radar Covid contact tracing application, as advanced EL PAÍS on October 22. According to a tweet from the government account, the vulnerability was resolved on October 9, although in reality the definitive solution was incorporated in the update on October 30. The first patch still insecurely covered the hole.

“The vulnerability is caused by the fact that Radar Covid's connections with the server (uploading the keys) are only made in positive cases. Therefore, any observer on the road with the ability to monitor the traffic between the application and the server can identify which users are positive, ”the text says. The way to avoid this is to create empty traffic to the server from users who are not positive, traffic whose form and mode of treatment is the same as if it were positive: in this way it is achieved that they cannot be distinguished from each other.

Publishing the details of a vulnerability once it is resolved is a common procedure in cybersecurity. The message was finally published on Friday night the 13th on the platform for developers GitHub. The person in charge of posting the report was user Pantic79 (Milinko Pantic was an Atlético de Madrid player in the 90s), whose account was created in July 2020 and who had previously published on GitHub on behalf of the Radar Covid developers . The text cites as authors of the vulnerability discovery the engineer Carmela Troncoso, who has led the team that developed DP-3T, which is the protocol used by the Radar Covid app, and two other members of its center, the Polytechnic School of Lausanne: Linus Gasser and Wouter Lueks. Two Spanish researchers have participated with them: Juan Tapiador, from the Carlos III University, and Narseo Vallina-Rodríguez, from Imdea Networks.

The State Secretariat for Artificial Intelligence announced on October 9 that the vulnerability had been resolved. But according to a chronology that accompanies the publication, it was not until the 30th that it was definitively resolved. The problem was that the initial fix still left holes for an attacker to infer positive users despite the added fake traffic. Sources from the Secretary of State see the change as a supplementary improvement, not essential. "The DP-3T team proposes to change the random distribution for sending fake frames using an exponential function instead of a uniform one, which is implemented on October 30," they say, which allows "to further improve security."

The report describes how potential attackers could find out from which devices were sent positive for covid and also, in a second step, find out the user. According to a common standard that is automatically calculated from the information provided by those who have found it, the vulnerability is considered "high severity", a level only below "critical". To calculate it, several variables are considered: for example, if the complexity of the attack is high, if the perpetrator must be in the system's network, if it must be near or can be anywhere on the Internet or if it needs interaction from the victim or not .

The Secretary of State does not see so many reasons for this seriousness: "Its scope is more hypothetical than real," they say. They refer, above all, to the magnitude of the possible attackers: “The vulnerability requires the assistance of the telecommunications operator and the cloud service provider, or third parties not only with the ability to analyze traffic, but also to correlate it with personal data that it has and obtains from the hand of other applications that are present in the same mobile terminal ”, they say. And they add that the contracts or data protection authorities would prevent it: "Any analysis by the telecommunications operator or the cloud service provider violates current contracts and of course against current legislation on data protection. ”.

The danger of seeing the scope as "hypothetical" in an application that deals with health information is the attention in handling the data. “If those responsible believe that these types of problems are minor,” says Gloria González Fuster, research professor at the Vrije Universiteit in Brussels, “it is worth asking if we are not in a more problematic situation than it might seem, since the technical analysis trust that someone is taking risks properly. From a legal point of view, the important thing to remember is that we are talking about data related to health, which is considered sensitive data, and any infringement can have serious consequences ”, he adds.

Attackers with the ability to analyze traffic from a mobile phone in which a positive for covid-19 is communicated are certainly the operators if the mobile is used, the Internet providers if it is done through Wi-Fi networks, any VPN provider if it is used, the network operator in companies or any attacker who has access to the same network as the positive case.

"The attacker can also de-anonymize the user", says the text. “For this additional stage to be successful, the adversary needs to correlate the Radar Covid traffic with other identifiable information from the victim. This can be achieved by associating the connection to the contract with the name of the victim or the Radar Covid traffic with another one generated by the user that contains open identifiers ”, he adds. The Government has no indication that this vulnerability has been exploited, "even remotely," they say.

The Spanish Agency for Data Protection, consulted by this newspaper, has not yet wanted to assess this vulnerability. "The Agency does not assess the possible vulnerabilities of third parties if it is not in the resolution of a procedure," they say from the AEPD. The Agency has opened a procedure on Radar Covid from practically the day it was announced, which prevents them from having to comment on each of the possible problems that may arise with the application.

Radar Covid was launched in mid-August. At the end of August, it was activated in five autonomous communities. The first contact about the vulnerability was on September 16. The first patch was put on October 9 and the second on October 30. According to the numbers of positives published this Sunday by EL PAÍS, this vulnerability could affect less than the 13,000 users who until the beginning of November had used the application to communicate their positive . The Government has not yet published all the necessary documentation on the open source of Radar Covid or the contract with Indra for its development, which it has denied to this newspaper and others after requests by Transparency.

The statement mentions the additional risk of the server in the cloud, controlled by Amazon. "The cloud provider can implement an attack between the apps and the server, which would allow it to inspect the content of the communication and distinguish the fake traffic from the real one," the text says. But the researchers see this danger as "low" and do not technically mitigate it due to the "contractual obligations of the provider, the European Data Protection Regulation (which would result in severe fines) and the impact on its public image."

You can continue to EL PAÍS TECNOLOGÍA RETINA at Facebook , Twitter , Instagram or subscribe here to our Newsletter .

Related News

Technology Covid radar Internet privacy Apps Coronavirus Cyber espionage