DeepSec 2023 Talk: 1h Talk – LeaveHomeSafe: The Good, the Bad, the Ugly – Abraham Aranguren
The COVID-19 pandemic has led to the development and deployment of various contact tracing apps worldwide, including the Hong Kong government’s LeaveHomeSafe app. In this talk, we will present the findings of our comprehensive security assessment of LeaveHomeSafe, which uncovered a range of vulnerabilities from minor to critical.
We will discuss the overall app design and functionality, the uncovered issues related to data privacy and security, as well as interesting edge-case scenarios. We will delve into the technical details of the vulnerabilities we found, demonstrating the tools and techniques used to identify and exploit them.
Our talk will also cover the disclosure process, as well as the subsequent press and official Hong Kong government reactions, which garnered international attention.
The talk will break down the good, the bad and the ugly of this security audit journey, from security audit to disclosure, public release, meetings with journalists and various attempts to further prove a number of security findings.
Attendees will gain valuable insights into the unique challenges of securing contact tracing apps, as well as the importance of conducting thorough security assessments before deploying such apps at scale. We will provide actionable recommendations to improve the security of LeaveHomeSafe and other similar apps, emphasizing the need for ongoing security testing and continuous improvement. Join us for an engaging and thought-provoking discussion on the security implications of contact tracing apps in the context of the COVID-19 pandemic.
For some preliminary talk background, please see:
https://7asecurity.com/blog/2022/07/leavehomesafe-android-ios-apps/
We asked Abraham a few more questions about his talk.
Please tell us the top 5 facts about your talk.
We discuss the overall app design and functionality
The uncovered issues related to data privacy and security, as well as interesting edge-case scenarios
We delve into the technical details of the vulnerabilities we found, demonstrating the tools and techniques used to identify and exploit them
The disclosure process, as well as the subsequent press and official Hong Kong government reactions, which garnered international attention
The talk will break down the good, the bad and the ugly of this security audit journey
Subject Matter: The talk centers around the security vulnerabilities and privacy concerns associated with the LeaveHomeSafe mobile app, which is used in Hong Kong for contact tracing purposes during the COVID-19 pandemic.
Audit Findings: The talk discusses the findings of an independent security and privacy audit conducted by 7ASecurity on the app. The audit revealed security vulnerabilities and privacy-related issues within the app’s design and functionality.
Political Context: The talk highlights the political backdrop in which the app was introduced, including the Chinese government’s encouragement for real-name registration and the app’s mandated use in various public venues.
Privacy and Data Protection: The talk underscores the critical importance of balancing public health benefits with data privacy. It explores the ethical implications of collecting and using personal data in the context of contact tracing apps.
Future Implications: The talk delves into potential future developments in contact tracing technology, including innovations and challenges. It provides insights into what the future might hold for privacy, security, and public health initiatives in the realm of digital contact tracing.
These facts encapsulate the core themes and implications of the talk, shedding light on its significance and relevance within the broader context of technology, privacy, and public health.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
The creation of this talk is driven by a desire to inform the public about potential security and privacy risks associated with the LeaveHomeSafe app, particularly given the app’s widespread adoption and government mandates. The combination of technical findings, investigative journalism, and the broader political and privacy context contributed to the decision to create and share this information through a talk.
Why do you think this is an important topic?
This topic is at the intersection of public health, technology, ethics, and individual rights. It has the potential to impact people’s lives, shape the future of disease management, and influence the broader conversations about technology’s role in society. Addressing these challenges in a responsible and ethical manner is essential to realizing the benefits of contact tracing apps while mitigating potential risks.
Is there something you want everybody to know – some good advice for our readers maybe?
When it comes to using technology responsibly, especially in contexts like contact tracing apps or any digital tools involving personal data, there are some key pieces of advice to keep in mind:
- Protect Privacy: Prioritize apps that respect your privacy and data security.
- Stay Informed: Understand how apps work and what data they collect.
- Control Data: Choose apps that let you control your data and consent.
- Update Regularly: Keep apps and devices updated for security patches.
- Use Strong Authentication: Enable multi-factor authentication for added security.
- Be Skeptical: Question requests for sensitive info or financial details.
- Educate Yourself: Learn about tech basics and potential risks.
- Limit Sharing: Share only necessary information with apps.
- Report Suspicious Activity: Report any compromises to relevant authorities.
- Use Trusted Sources: Download apps from official stores or trusted sites.
- Balance Convenience: Find a balance between convenience and security.
Ultimately, the goal is to enjoy the benefits of technology while minimizing potential risks to your privacy and security. Being informed, cautious, and proactive can go a long way in maintaining a safe and enjoyable digital experience.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
In the field of contact tracing apps and data privacy, several trends and potential developments can be anticipated:
Innovations: Enhanced Privacy Measures: Future contact tracing apps are likely to implement even stronger privacy measures, such as advanced encryption techniques, decentralized data storage, and more granular control over data sharing.
Blockchain Integration: Blockchain technology could be utilized to ensure secure and tamper-proof records of interactions, providing transparency and trust in contact tracing data.
Health Data Integration: Contact tracing apps may integrate with health records, wearable devices, and other health-related data sources to provide a more comprehensive picture of users’ health status.
AI-driven Insights: Artificial intelligence could play a role in analysing contact tracing data to identify patterns, hotspots, and potential outbreaks more efficiently.
Cross-Border Compatibility: As international travel resumes, efforts to standardize and harmonize contact tracing apps across different countries for effective cross-border disease control could gain traction.
Potential Downfalls: Privacy Concerns: Striking the right balance between effective contact tracing and user privacy remains a challenge. If not managed carefully, apps could face backlash due to perceived privacy infringements.
Digital Divide: Some individuals might not have access to smartphones or might not be tech-savvy enough to use contact tracing apps effectively, leading to unequal coverage and reduced effectiveness.
Data Breaches: As these apps handle sensitive health and personal data, the risk of data breaches and cyberattacks could increase, compromising user information.
False Sense of Security: Relying solely on contact tracing apps might lead to a false sense of security, causing individuals to neglect other preventive measures like mask-wearing and social distancing.
Ethical Concerns: As these apps become more integrated into daily life, ethical questions about consent, data ownership, and surveillance might intensify, requiring careful consideration.
The evolution of contact tracing apps will likely involve continuous efforts to innovate while addressing potential pitfalls to ensure both public health and individual rights are upheld.
After 15 years in IT Sec and 22 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 and Version 1. Creator of “Practical Web Defense”, a hands-on eLearnSecurity attack / defense course, OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity, @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications.