Major security flaws found in South Korea quarantine app
SEOUL, South Korea — South Korea has been praised for making effective use of digital tools to contain the coronavirus, from emergency phone alerts to aggressive contact tracing based on a variety of data.
But one pillar of that strategy, a mobile app that helps enforce quarantines, had serious security flaws that made private information vulnerable to hackers, a software engineer has found.
The defects, which were confirmed by The New York Times and have now been fixed, could have let attackers retrieve the names, real-time locations and other details of people in quarantine. The flaws could also have allowed hackers to tamper with data to make it look like users of the app were either violating quarantine orders or still in quarantine despite being somewhere else.
In interviews, South Korean officials acknowledged that they had become aware of the security lapses only after the engineer, Frederic Rechtenstein, and The Times notified them.
“We were really in a hurry to make and deploy this app as quickly as possible to help slow down the spread of the virus,” said Jung Chan-hyun, an official at the Ministry of the Interior and Safety’s disaster response division, which oversees the app. “We could not afford a timeconsuming security check on the app that would delay its deployment.”
The ministry fixed the flaws in the latest version of the app, which was released in Google and Apple stores last week. South Korean officials said they had not received any reports that personal information was improperly retrieved or misused before the vulnerabilities were patched.
Governments worldwide have raced to deploy virus-tracing apps only to face complaints about poor security practices.
The Times found this spring that a virus-tracing app in India could leak users’ precise locations, prompting the Indian government to fix the problem. Amnesty International discovered flaws in an exposure-alert app in Qatar, which authorities there quickly updated. Other nations, including Norway and Britain, have had to change course on their virus apps after public outcry about privacy.
In April, South Korea began requiring all visitors and residents arriving from abroad to isolate themselves for two weeks. To monitor compliance, they had to install an app whose name in Korean means Self-Quarantine Safety Protection.
In May, Rechtenstein returned to his home in Seoul from a trip abroad. While self-isolating at home, he became curious about the government’s seemingly simple app and what extra features it might have. That prompted Rechtenstein to peek under the hood of the code, which is how he discovered several security flaws.
He found that the software’s developers were assigning users ID numbers that were easily guessable. After guessing a person’s credentials, a hacker could have retrieved the information provided upon registration, including name, date of birth, sex, nationality, address, phone number, real-time location and medical symptoms.
Rechtenstein also found that the developers were using an insecure method to scramble, or encrypt, the app’s communications with the server where data was stored. Instead of HTTPS, the security standard used by apps like Gmail and Twitter, the app used an encryption key written directly into its code.
Doing so meant hackers could easily find the key and decode the data if they had tried. It also meant the key did not change depending on the message being sent or on the user sending it.
The key was also far from random: It was “1234567890123456.”
With such weak encryption, monitoring all of the app’s communications with the server would be possible simply by being on the same unprotected WiFi network as someone else using the app. major