Contact tracing app has security flaws using QR codes warns Tech company
The CEO of a British Tech company has warned the Government of potential serious flaws in the security of personal information and data used in the new contact tracing app technology that was announced by Matt Hancock.
Manchester Tech inventor and innovator Louis-James Davis stated that the use of QR code scanning technology – which underpins the Government contact tracing app is flawed because its reliance and use of QR codes means it can be subjected QR codes to a process called attagging or cloning.
Attagging is where a genuine QR code is replaced by a cloned QR code which then redirects the person scanning that code to a similar website where personal data can be intercepted and breached. The problem is that serious that in India alone there are over one billion fraudulent financial transactions each day using QR codes. As the scanning user journey is the same, it is only tech-savvy individuals that may notice the domain name has changed.
The CEO of Manchester-based VST Enterprises Ltd (VSTE) and a consortium of other British companies; Latus Health, Redstrike and Halo Solutions, last week submitted a 360 End To End Solution Plan called fans are back to the prime minister, the cabinet office and the chair of the DCMS select committee following his daily press briefing and announcement of operation moonshot. In this proposal, it also highlighted the serious security issues and concerns over QR code technology while also providing details of its own end to end security solution to the UK Government using British technology.
The tech boss revealed that VSTE has developed an ultra-secure digital health passport and contact tracing app technology that does not use QR codes but instead uses a closed-loop, ultra-secure code called VCode which it has invented and which is currently being used by the United Nations SDG Projects. The system uses closed-loop technology with end to end encryption and contains over 2.2 quintillion variations of code that’s nearly 300 million code variations per person on the planet, meaning it is impossible to hack or impersonate from the front end.
The secure digital health passport which is called V-Health Passport is used to authenticate a person identity using their existing government ID and is then used to record their COVID-19 test status. Uniquely it can be scanned outside of the two-metre social distancing capability and over 100-metres away with a specialist device.
It can also be scanned in a 170-degree arc whilst a person is moving thus preventing bottlenecks and choke points in fans queuing to get into a venue. VicHealth Passport can also be used to record vaccinations as well and other vital medical information.
VST Enterprises CEO Louis James Davis said: ‘We have highlighted the serious security flaws of using QR codes in healthcare and ID technology in our proposal and plan submitted to the Government. When you are dealing with the public’s personal information and private data, security is of paramount importance and crucial to public confidence.
‘When the Government first launched the NHS contact tracing app there were many concerns raised about privacy, protection of data, tracking of location data and the security flaws of using Bluetooth proximity technology. The use of QR code technology in a Government contact tracing app where the public is being asked to scan a QR code before going into a sports stadium, bar or venue leaves their data and personal information at serious risk of cloning and attagging.
‘There are over one billion fraudulent financial transactions each day in India alone and that should be a serious wake-up call to any Government or major organisation about the wider use of QR code technology to the public in a contact tracing app or digital healthcare passport for that matter.
‘Because QR code readers and encoders are open source technology free to use and manipulate there are literally 1000’s of readers and encoders in the app stores. They don’t work on a closed-loop security system which means the QR code design might not be unique and scanning and decoding can be exploited or manipulated. QR codes also have to be scanned close up within inches thus meaning that the scanning of a QR code for contact tracing already breaches a safe two-metre social distancing protocol.’
In understanding how the QR codes are vulnerable to cloning Louis-James explained: ‘Essentially QR codes can be cloned and redirected to other information points or websites. Often criminals and hackers will exploit this by putting a fake QR code over a genuine QR code.
‘So a QR code for the example on scanning would link to the genuine website www.similardomain.com but a fake QR code can be made up printed off and placed over the genuine code to redirect to www.similar-domain.com at this point the member of the public is tricked into entering their personal information, private data and financial information. The rogue website looks and feels exactly like the genuine one and is made to mirror it precisely.
‘VCode which is the digital bar code of choice in our contact tracing app and V-Health Passport, for example, cannot be cloned, so even if it was printed off, or a photograph was taken and placed over a venue VCode or V-Health Passport it simply won’t scan as it works on a call and response system of information between the code and web platform to verify the location of the code, user ID and time and date and much more.’
The consortium presented its plan for a 360-degree end to end solution using a 10-minute rapid COVID testing kit, VHealth Passport and contact tracing app solution that uses anonymised data to detect positive infection contacts within venues, stadiums and theatres also form part of the groundbreaking technology offering. The consortium believes that this will allow for the safe return of fans to sports stadiums, music venues and theatres to full capacity without the need for social distancing.
‘The fans are back plan has also received the backing and support of former sports minister Richard Caborn, former England Rugby captain Mike Tindall MBE and his wife the Equestrian World Champion and 2012 Silver Medalist Zara Tindall MBE. The plan will also help alleviate the much-anticipated pressure to the NHS from its current and predicted testing capabilities, which have already been identified as being ‘at capacity.
‘The health passport which is test agnostic allows it to work with all rapid tests and PCR based lab testing. It also uses the most secure and advanced cyber technology coding VCode which means that all personal information and data is ultra-secure and cannot be hacked. Most importantly the contact tracing app does not divulge a persons identity or information and uses anonymised data.
The contact tracing element to the V-Health Passport allows all music venues, concert arenas, sports stadiums and theatres to display unique geo, date and time fenced VCode which is locked to that venue and must be scanned as fans check-in. Fans will only be allowed to physically check into’ the venue if they have downloaded the V-Health Passport and taken a COVID-19 test prior to entry with a negative test result.
When the person enters the venue they will be scanned for their test status as green for negative, red for positive and amber for indicating the countdown to another test date. All interactions with V-Health Passport or venue codes are stored anonymously thus allowing the person/s to remain completely anonymous, thus not infringing their personal privacy.
Any positive test result will notify any and all confirmed contacts automatically that attended that venue and that was scanned into that venue VCode on the day. The system can also notify contacts either side of the scanned date of entry up to one week prior and one-week post attendance.
Also as the contact part of the track and trace is completely anonymised this means a persons privacy and personal information is not shared and their location is not tracked in real-time, other than their check-in to a sports stadium, music venue or theatre.
This is no different from a music fan using Facebook to check into a pop concert with his or her friends and tagging them. V-Health Passport is also GDPR and HIPPA compliant. The rapid test and V-Health passport are priced at £15. The VHealth Passport currently has 200 testing centres within its app which are expected to rise to over 1000 testing centres in the next two weeks with the addition of a major high street pharmacy chain coming onboard.
Image credit: Freepik