Airport Wi-Fi ‘insecure’ for using vaccine passport apps
Former spy chief advises downloading NHS data before arrival or through mobile data or VPN
BRITONS are warned against using airport Wi-Fi to log into the NHS app to their vaccine passports in case hackers steal their details.
It follows Government plans to add vaccine passports to the app which could allow people to travel abroad by proving they have been vaccinated.
But logging into the app and loading health data on unsecure Wi-Fi could allow access to passwords and personal information about people’s health.
Peter Yapp, a Schillings partner and former deputy director at GCHQ’s National Cyber Security Centre, said: “Don’t access this through Wi-Fi connections that you don’t know anything about. That just gives someone the opportunity to get the data as it’s passing through.”
Hackers have used their own public Wi-Fi networks in the past to trick people into signing up for them and then stealing their information.
“It has happened for a long, long time and it continues to happen,” said Matt Lock, a director at cybersecurity business Varonis.
“There is nothing stopping anybody walking into public spaces and setting up their own public Wi-Fi,” he added. “Then all your traffic is potentially being captured.”
Hackers set up their own Wi-Fi networks, often with innocent-sounding names that mimic legitimate networks. Once a victim logs on to a hacker’s network, all their web traffic can be intercepted and hackers can monitor which websites and apps are used.
They can also steal login information including passwords and any data sent to their apps, including the health records in the NHS app. Travellers should download the NHS app and log into it to save their vaccine information before they travel.
The Government is examining ways to export vaccine passport data outside the NHS app to save it in a digital wallet that can be accessed offline without Wi-Fi or mobile data connection.
Other ways to minimise the risk include using mobile data instead of Wi-Fi and subscribing to a virtual private network (VPN) that encrypts data.
“If you really want to have peace of mind, you need to be using a VPN,” Mr Lock said. VPN software encrypts smartphone traffic, helping to keep your information secure even when using public Wi-Fi.
A group backed by the Russian government hacked into the Wi-Fi of San Francisco International Airport and two other West Coast US airports, it was revealed last year. Instead of stealing masses of information, the hackers appeared to have been attempting to intercept the data from just 10 people.
Just knowing part of someone’s health information is unlikely to be particularly valuable to cybercriminals. But snippets of information can help them to build up profiles on people that could be used for targeted scams.
“Attackers are trying to build up a picture and they’re trying to monetise it,” Mr Yapp said. “If you get a date of birth or a postcode and then you add it to something else that you’ve found about a person like an email address you start to be able to target them with scams, very focused scams,” he added.
The Department of Health and Social Care said: “The Government is working on providing the means to demonstrate Covid status easily – through a digital route as well as a route for people who don’t have a smartphone. Security and privacy will be at the core of our approach. Use of the NHS App is being considered as part of the digital route.”