It’s been estimated that 90% of COVID-related deaths could have been prevented if social distancing efforts were put in place just two-weeks earlier. The statistic is painful to hear, but it reinforces the public’s commitment to getting us on the road to recovery. As we’re starting to see the curve flatten, current modeling has shown that social distancing has significantly curbed the spread of COVID-19. Granted, the battle is long from being over. State lockdowns have been enforced for well over 2 months, and L.A.’s stay-at-home orders have just been extended to July. But digital contact tracing could play a major role in speeding up re-openings and getting us out of the virus’ trenches.
Let’s start with the basics. Contact tracing’s purpose is to identify and isolate potential risks of spreading infectious diseases, and it’s been used in past outbreaks like Ebola, SARS, and various STDs. Contact tracings’ MO is much like detective work – tracers work with patients to piece together a list of all the people they’ve been in contact with during the virus’ incubation period (in this case, it’s 2 weeks). Then, contact tracers notify those individuals of the potential risk and advise that they self-isolate and seek-out testing.
As crucial as this system is, it’s nearly impossible to conduct contact tracing at the mass scale that COVID-19 commands. Each infected person can yield around 40 possible transmissions – that’s 40 calls for every single person infected, and in cities like NYC with over 187k known COVID cases, contact tracing can easily exhaust the states’ resources. Dr. Frank Esper from Cleveland Clinic Children’s Hospital tells Time, “When you get to a point where there are a lot of people who are sickened with a particular disease, it quickly overwhelms the health departments’ response to be able to contact trace all those individuals.”
As healthcare leaders have pointed out, the traditional method for contact tracing isn’t a perfect solution, especially when it comes to tracking transmissions that can spread as rapidly as COVID-19. It goes without saying, a patient’s recollection doesn’t account for all consequential contacts – a fair amount of interactions can be missed, just think of all the people you have airborne contact with on a daily basis, much less over the span of two weeks. There’s also the possibility of spreading the virus from high-touch surfaces like door handles, ATMs or elevators buttons, and at that point, it’s impossible to contact trace everyone. That’s where the digital side comes into play. Apple and Google control nearly 100% of the worldwide mobile market, which is why they’ve come together in partnership to help provide the tools necessary to develop a digital contact tracing app for the masses. This relies on bluetooth technology to track cellphones, with each individual receiving a unique identifier code tied to their device. Using a bluetooth signal, devices will pick up all the unique identifier codes you’ve been in contact with, and keep a rolling 14-day record of those interactions. If someone has tested positive for the virus, testing centers will import this data on the app’s backend. This will set-off a notification to everyone that has a record of being in contact with that individual, and will provide further details on nearby testing and recommendations for self-isolating during the incubation period. Remember when I mentioned earlier that each virus transmission requires tracers to make around 40 calls to notify those at risk? Think of how much more efficiently and effectively we can combat the problem if this process is condensed to an instant push notification.
Digital contact tracing is entirely anonymous, and if you receive a notification, you won’t know the details of where the possible transmission occurred or who it came from. Having a reliable source for this information would give people the confidence to (safely and responsibly) leave their house again. When you’re living with someone that’s at-risk, being a silent carrier is a constant anxiety, and digital contact tracing could ultimately make these people feel safer.
This could be a turning point in re-opening the country, as research shows that nearly 80% of carriers are asymptotic and are unknowingly spreading the virus to others.
Despite the app being opt-in only, modeling shows that at least 60% of the population will need to participate in order to have a significant impact on flattening the curve. But of course, digital contact tracing comes along with its own troubles, with many raising questions over the privacy and security of this data. Especially when it comes to information related to sensitive and private health records, Americans are rightfully wary of opting-into a system that they don’t entirely trust.
And surveys confirm that Americans are split on the matter. When Kaiser Family Foundation conducted a survey on whether they would download an app for contact tracing, 47% of respondents answered that they would not. Knowing who is in control of the data had a massive impact on survey results, with individuals being twice as likely to download a contact tracing app if it was being managed by a local or state department rather than a private technology company.
We reached out to our partner HackerOne to gain insight into the security of this technology. They’re at the forefront of using ethical hacking in tracing vulnerabilities before they become a problem with their bug bounty program, and they’ve recently made waves with their Hack For Good initiative, giving hackers the ability to donate their bounties to WHO’s COVID-19 relief fund.
Digital Contact Tracing is said to be ready in the coming weeks. We’ve heard a bit about the uncertainty surrounding the security of this technology, especially as it’s being adopted on such a massive scale. Do you think there’s reason for concern here? Do you expect digital contact tracing apps to prompt a rise in attacks using this technology?
Data that will be used in contact tracing apps is immensely valuable for threat actors; having PII, location data, and medical data belonging to an individual allows cybercriminals to set up elaborate spear-phishing attacks that will be difficult to distinguish from legitimate medical information.
Now is even more so the time to treat your mobile phone as you would treat a laptop or desktop PC. Always install the latest security patches, use secure passcodes to lock your device, and use a device finder tool to locate and/or wipe your phone after losing it. Also, be careful which apps you install and what permissions you give those apps.
Response from Niels Schweisshelm, Technical Program Manager
Is bluetooth technology particularly susceptible to vulnerabilities? Walk us through how hackers can leverage this technology for an opportunity to attack.
All of a sudden, bluetooth might be enabled in every mobile device and the increased usage of the bluetooth protocol will result in more attention from threat actors. This is further exacerbated by the increasing price for bluetooth related exploits on the black market due to the heightened demand.
The bluetooth protocol and its implementations have suffered from critical vulnerabilities in the past (see Blueborne, CVE-2017-0781). These vulnerabilities were exploitable by remote attackers and allowed for arbitrary code execution on the affected Android device. These vulnerabilities have now been fixed, but this does not guarantee that bluetooth and its implementations will be free from future vulnerabilities. One should expect a heavy focus on bluetooth security research in the near future, which will result in the disclosure of similar vulnerabilities. Time will tell if these vulnerabilities are responsibly disclosed to the vendors allowing for a timely fix or end up being used for malicious purposes.
Response from Niels Schweisshelm, Technical Program Manager
There’s also the issue of trust. Of course, there’s room for the possibility that these systems can abuse the data they collect on Americans. What measures do you think need to be made in order to secure the trust of the public?
The entire attack surface of these contact tracing applications has to be properly investigated. This should include static source code reviews as well as dynamic application testing to discover any vulnerabilities in e.g. the Web API’s. Ideally, this would be done by multiple parties to ensure a baseline level of security using a crowd-sourced approach.
The potential privacy concerns surrounding these contact tracing solutions should remind governments developing them that the security community will scrutinize these apps more than any app in recent years.
Response from Niels Schweisshelm, Technical Program Manager
Has HackerOne encountered a rise in cybercrime related to COVID-19 scams?
Yes, absolutely. However, the vulnerabilities remain the same; it’s the volume and packaging that’s evolving.
Email phishing scams using COVID-19 are on the rise. KnowBe4 recently published its Q1 2020 Top-Clicked Phishing Report, confirming that phishing email attacks related to COVID-19 increased by 600% in the first quarter of the year. In the UK, the National Cyber Security Centre asked for the public to report suspicious emails via a newly launched phishing hotline, and a total of 83 coronavirus related phishing and scam websites were taken down in just a single day. Google reports that it is blocking over 280 million daily COVID-19 spam messages and that it has identified more than 18 million Covid-19 daily malware and phishing emails just in one week alone.
The future of work is changing. As the work-from-home model becomes the norm and work becomes more broadly distributed, more applications, systems, and infrastructures are more vulnerable than ever. With employees working from their own home amidst social distancing orders, device sprawl and phishing attempts have become hot topics of discussion for IT and security teams. It’s easy to become too focused on only what is new with these problems, but really what we need to do is focus on the individual issues (i.e. ransomware, phishing). It’s the same threats with new packaging.
Response from Jon Bottarini, Senior Security Solutions Engineer
In light of all this, what can individuals do to curb the risk of cyber-attacks?
Aaron Zander, Head of IT, has the following security tips for all employees working remote right now, emphasizing that basic cyber hygiene practices can go a long way in protecting both employees as well as the corporate network.
Invest in a good password manager. Don’t share logins and passwords unless you absolutely have to. If you have to, then it’s time to invest in a password manager for your team or company. Tools like 1Password make sharing large amounts of secure data easy and help secure your teams even more.
Use Multi-Factor Authentication (MFA). Authentication is the process by which a computer validates the identity of a user (i.e. username and password). Two-factor authentication (2FA) commonly combines a password with a phone-based authentication factor. However, there are shortcomings with 2FA, as hackers can bypass wireless carriers, intercept or redirect SMS codes, and easily compromise credentials. Multi-factor authentication is more secure as it adds an additional layer of protection. Instead of just asking for a username and password, MFA requires additional credentials, such as a code from the user’s smartphone, the answer to a security question, a fingerprint, or facial recognition.
Expect criminals to try and take advantage of the increased distances in our workplaces. Often a lot of the checks and balances around things like financial requests and last minute invites to meetings or other services are done in person. Now that they might happen via email be extra diligent about checking who is sending them. Phishers are going to take advantage of the lack of processes that are in place. If you get a request via email or messaging services, always try and verify outside of the initiated chain of request. For example, if you get a request from your CEO to refund a customer to a new bank account, instead of replying to that thread to confirm, message them in a new email, or via a different medium (call/instant messaging, etc) to verify the request. For large transactions, always have another person on your team double-check the request and your work as well for safety. It’s rare that an extra hour will make a difference in the case of a WeTransfer, but the consequences of moving too quickly can be felt for a long time.
Be even more paranoid of phishing and other scams. If something looks suspicious, don’t click or act on it. Email scams related to COVID-19 are already on the rise, and the U.S. The Department of Health and Human Services recently announced that they have fallen victim to a cyber-attack that involved a COVID-19 misinformation campaign that quickly spread via text, email, and social media. In general, never share personal or financial information via email if you weren’t expecting it. If you get such a request, it’s best to call or video conference the individual directly to confirm.
Stay at home. If you can, work from home, not from a coffee shop, to reduce the chances of (corporate) espionage. It’s preferable to leave the laptop at home (locked) and go out for a break and then return. If you really need to go to the coffee shop, then use a private VPN for any untrusted network or location, like encrypt.me. VPNs aren’t the end-all-be-all for security though.
Disconnect from the company’s VPN when not in use. Leaving your connections open can increase the likelihood that if you’re breached, that extends past your machine and into your corporate network. Also in a time where many more people are connecting via these services, it’ll give your infrastructure team a little more room to breathe.
Secure your home router. It is essential to ensure your home wifi router has a strong password and is up to date. Search the name of your router, and the words “breach” or “security issue” and see if yours is on the list. Most of these can be fixed by doing a simple software update. If your network equipment is no longer being updated by the manufacturer, chances of vulnerabilities increase over time. It is also important to use a strong password. Make sure you’ve modified the default administrator password on your router and other network equipment. Ensure your wireless networks are using WPA2 security or higher. And, separate guest devices onto a separate wireless network isolated from your personal devices if you can.
Don’t use your personal laptop or desktop. Don’t fall prey to the habit of using your personal machine for work. It’s inherently less secure than your work machine. Also, if you install extra tools for work to your home laptop, who knows what access you’re giving to your company. It’s safer to keep them separate.
Avoid installing new apps without permission from IT. Some apps may be harmless, but inviting more apps to your device can raise cause for concern. Employees working from home may create or take into use new software tools and services that won’t be as thoroughly tested and protected as the tools they normally use, posing a great risk for the corporate network.
Don’t mix personal and work-related internet browsing. If you use Chrome, use a personal profile for personal browsing, and a work profile for work browsing. At home, it’s a lot easier to sink into mixing work and personal browning.
Stay connected online. Connect with your co-workers often to help feel like you’re still connected to each other. Security is often tied to visibility, staying connected helps keep you and them visible.
HACK FOR GOOD
Hacking is here for good, for the good of all of us. More Fortune 500 and Forbes Global 1,000 companies trust HackerOne to test and secure the applications they depend on to run their business.