Major security flaws found in South Korea quarantine app
SEOUL — South Korea has been praised for making effective use of digital tools to contain the coronavirus, from emergency phone alerts to aggressive contact tracing based on a variety of data.
SEOUL — South Korea has been praised for making effective use of digital tools to contain the coronavirus, from emergency phone alerts to aggressive contact tracing based on a variety of data.
But one pillar of that strategy, a mobile app that helps enforce quarantines, had serious security flaws that made private information vulnerable to hackers, a software engineer has found.
The defects, which were confirmed by The New York Times and have now been fixed, could have let attackers retrieve the names, real-time locations and other details of people in quarantine. The flaws could also have allowed hackers to tamper with data to make it look like users of the app were either violating quarantine orders or still in quarantine despite being somewhere else.
In interviews, South Korean officials acknowledged that they had become aware of the security lapses only after the engineer, Mr Frédéric Rechtenstein, and The Times notified them.
“We were really in a hurry to make and deploy this app as quickly as possible to help slow down the spread of the virus,” said Mr Jung Chan-hyun, an official at the Ministry of the Interior and Safety’s disaster response division, which oversees the app. “We could not afford a time-consuming security check on the app that would delay its deployment.”
The ministry fixed the flaws in the latest version of the app, which was released in Google and Apple stores last week. South Korean officials said they had not received any reports that personal information was improperly retrieved or misused before the vulnerabilities were patched.
Governments worldwide have raced to deploy virus-tracing apps only to face complaints about poor security practices. With the software gathering so many details about users, their health and their locations, the apps are prime targets for hackers. But pressure to act quickly appears to have allowed software with inadequate security features to be rushed out in several nations.
The Times found this spring that a virus-tracing app in India could leak users’ precise locations, prompting the Indian government to fix the problem. Amnesty International discovered flaws in an exposure-alert app in Qatar, which authorities there quickly updated. Other nations, including Norway and Britain, have had to change course on their virus apps after public outcry about privacy.
In April, South Korea began requiring all visitors and residents arriving from abroad to isolate themselves for two weeks. To monitor compliance, they had to install an app whose name in Korean means Self-Quarantine Safety Protection.
As of last month, more than 162,000 people had downloaded the app, which tracks users’ locations to ensure they remain in quarantine areas. Violators might be required to wear tracking wristbands or pay steep fines.
In May, Mr Rechtenstein returned to his home in Seoul from a trip abroad. While self-isolating at home, he became curious about the government’s seemingly simple app and what extra features it might have. That prompted Mr Rechtenstein to peek under the hood of the code, which is how he discovered several major security flaws.
He found that the software’s developers were assigning users ID numbers that were easily guessable. After guessing a person’s credentials, a hacker could have retrieved the information provided upon registration, including name, date of birth, sex, nationality, address, phone number, real-time location and medical symptoms.
Rechtenstein also found that the developers were using an insecure method to scramble, or encrypt, the app’s communications with the server where data was stored. Instead of HTTPS, the security standard used by apps like Gmail and Twitter, the app used an encryption key written directly into its code.
Doing so meant hackers could easily find the key and decode the data if they had tried. It also meant the key did not change depending on the message being sent or on the user sending it.
The key was also far from random: It was “1234567890123456.”
With such weak encryption, monitoring all of the app’s communications with the server would be possible simply, for instance, by being on the same unprotected Wi-Fi network as someone else using the app.
The Times examined the app’s code and confirmed Rechtenstein’s findings. After The Times approached South Korean authorities about the security flaws last month, officials said they had put a priority on deploying the app quickly “to save lives.”
Mr Jung, the Interior Ministry official, said his team had developed the app with Winitech, a software maintenance and repair company in Daegu, a South Korean city that became a centre of the outbreak in February.
Winitech’s senior managing director, Mr Hong Seong-bok, said that when the company first developed the app, it expected that only a small number of South Koreans would ever use the software.
“We had never thought that it would be used by so many people, becoming a must-install app for all arrivals at the airport,” Mr Hong said.
Mr Jung said that while the group had worked around the clock to develop the app and train officials on how to use it, they lacked the expertise to make the software secure.
Over time, the government also asked Jung’s team to add surveillance functions to the app, which officials said had increased their workload and prevented them from spending time hunting for security flaws.
A feature was added, for instance, that caused a quarantined person’s phone to emit a noise or vibrate when it was not physically moved for more than two hours. If the user did not respond by picking up the device, it was a potential sign that the person had ventured out and left the phone behind. The app would then alert authorities.
To keep a closer watch on quarantine violators, another function was added to connect tracking wristbands to the app.
“We were simply overwhelmed with work,” said Mr Koo Chang-kyu, a South Korean official.
In meetings last month with Rechtenstein and a Times reporter, South Korean officials initially played down the security issues, saying that they had deleted personal data and disabled the app once a user completed the two-week quarantine.
But Mr Rechtenstein demonstrated in the meeting that his data could still be retrieved from the government server by using the app on his phone, even though his quarantine had ended more than a week earlier. South Korean officials later said they had fixed the problem.
South Korea has become a global poster child for its creative and transparent handling of the coronavirus pandemic. But the app’s security flaws show how the country lags in protecting personal data, Mr Rechtenstein said. He also expressed disappointment at how long it took authorities to fix the problems.
The episode could “affect perceptions about the Korean model” for combating the pandemic, Mr Rechtenstein said. THE NEW YORK TIMES