This is an update to our earlier blog “New UK Coronavirus Test & Trace App in Trial“.
On 12 September 2020 the UK Government for England and Wales announced that their Coronavirus contact tracing app will go live on 24 September 2020. The devolved government in Wales will also use the same app.
The UK App will use Googles and Apples technology to provide the proximity tracking as described in our blog of 15 August using using the Bluetooth technology on Smartphones.
The England and Wales app is released by the NHS. So far I haven’t seen it in the appropriate app stores – this will come on 24 September when it is made generally available.
What’s happening in Scotland and Northern Ireland?
The devolved governments of Northern Ireland and Scotland have chosen to develop their own apps based on the Google/Apple technology. The Northern Ireland app will also cooperate with Southern Ireland and will share their respective databases.
The Northern Ireland app is called “StopCOVID NI” and is available in the Google Play Store and in the Apple App Store.
The Scottish app is called “Protect Scotland” and is also available in in the Google Play Store and in the Apple App Store.
Privacy & Cyber Security Concerns
The technology these apps are built on is made available as a service by Apple and Google for their respective app eco-systems and devices (iOS/iPhone, Android). The intention is that all the data will be held by Apple & Google. However, my understanding of the technology is that the health authorities will not receive the extensive location and proximity tracking data and what will be provided will only be released once the user registers a positive Covid19 test result.
I suggest you look at the BBC News article “Coronavirus: The great contact-tracing apps mystery” for details on how this works.
The question is whether or not you trust Google and Apple to keep this data private? Apple I have no problem with as their business is based on privacy. However, Google has a very bad record on privacy issues. That being said, this is the only option we have in the UK. My personal opinion is that we need to use every method at our disposal to track the progress of the virus. With infections on the rise in the UK, we need to avoid another national lockdown as this would be devastating to the economy.
The main issue from a cyber security perspective, you will need to keep your Bluetooth connection switched on at all times. The variety of Bluetooth required to run the app is Bluetooth 4 LE, which is not deployed on all phones currently in circulation. However, there are multiple attack vectors open to cyber attackers due to vulnerabilities in the Bluetooth technology that may not have been patched in all handsets. These include the following vulnerabilities found in 2020:
- Spectra attack which breaks the separation between Wi-Fi and Bluetooth
- BLURtooth vulnerability lets attackers overwrite Bluetooth authentication keys
- BIAS attack which is an impersonation attack that works against Bluetooth devices and firmware from Apple, Broadcom, Cypress, Intel, Samsung, and others
- SweynTooth vulnerabilities which works against BLE software kits from at least six chipset vendors.
If you have Android/iOS updates available for your handset, some of these vulnerabilities may have been patched. However, there is no guarantee that there aren’t more vulnerabilities that cannot be patched due to the hardware or have not been found yet.
My normal advice is to only keep Bluetooth active when you are using it. However, in this case you need it switched on when you are around other people at work, while travelling and when out either shopping or socialising. As a result you need it on 24×7.
On the Google Play Store, the following are the permissions that need to be enabled to run the various contact tracing apps:
- view Wi-Fi connections
- view network connections
- pair with Bluetooth devices
- full network access
- run at startup
- control vibration.
Other Google/Apple Tracing Services
On 1 September 2020 Google and Apple announced a new automatic app system to track COVID exposures. This allows heath authorities to automatically generate an app based on a standardised configuration. So far I have only seen announcements for the US and don’t know yet whether this will be released in the UK or if the relevant health authorities in the devolved governments will adopt it.
What is happening Internationally?
The health authorities in the various EU countries are developing and/or deploying their own apps. Other countries will be doing the same. I am not tracking each of them. However, a lot of them are using the same Apple/Google tracing technology. Some are doing their own thing.
If you are travelling, or live in other countries, you may need to install and use the contact tracing app in that country. The UK apps won’t work outside of the UK.
At the beginning of 2020 no one could have predicted how the coronavirus pandemic would have affected the global population. However, this will be with us for some time to come. Vaccines are a weapon we can use to fight the infection rate, but we also need to trace the contacts of anyone who is infected so they can self isolate and get the appropriate medical treatment. If you are around people you know (e.g. friends, family work colleagues), then providing the contact tracing information is easy. However, if you go shopping or visit a bar, you are mixing with people from other households and there is no way you can effectively provide the contact details for all these people. This is where the various contact tracing apps come in as they will be continually watching and tracking who you come into contact with.
I would have hoped that the four devolved governments would have cooperated in these apps development and built in data sharing between the various devolved governments (similar to that between Northern and Southern Ireland). This may come in time. In the mean time you may need to install more than one app if you cross the various borders.
I don’t think these apps will be the silver bullet we all hope they are. For a start not everyone will have a smart phone that is capable of running the app. Some people won’t use it at all. We also need to develop a vaccine as well as treatments to treat people who are admitted to hospital due to an infection and employ contact tracing methods.
All of these apps will work alongside the telephone based contact tracing service in each of the devolved health authorities.
It’s up to you to decide if you will use these app or not. Personally I will be installing the England app on day one.
Please make sure you download the official app provided by the various devolved governments and not a scam app.
You can also read our other blogs on this subject below for background and concerns we have regarding this technology:
- New UK Coronavirus Test & Trace App in Trial (published 15 August 2020)
- UK Coronavirus Contract Tracing Update (published 4 July 2020)
- COVID-19 Research by Kings College London (published 4 July 2020)
- Location Tracking, Your Privacy & COVID 19 Contact Tracing (published 2 May 2020)
- Cyber Security during a Pandemic (published 14 March 2020).