[COVIDWatch]: Does the TraceTogether app expose you to hackers?

By November 26, 2020 COVID-19, Health

We came across this post on Facebook group Return Our Privacy – SG:

The post shares a screenshot of a comment made by a netizen who states that he/she is concerned about the TraceTogether app because “other strangers can see your phone on their bluetooth”. The netizen then states that he/she will not download the app out of fears of being hacked and will collect the Token instead.

As a quick overview, TraceTogether is an initiative which uses a mobile app and physical token by the Singapore government to aid in contact tracing for the COVID-19 pandemic.

When phones with the TraceTogether app installed are nearby one another, they exchange anonymised proximity information via Bluetooth which is then stored in encrypted form on the users’ phones. The information is then only shared with the Ministry of Health (MOH) if a user tests positive for COVID-19. The Bluetooth information stored on the phones is also automatically deleted after 25 days.

As for how the Token works, it also uses Bluetooth technology and exchanges signals with other tokens or smartphone devices running the TraceTogether app. The Token then encrypts data of the devices near it and stores the information for up to 25 days before deleting it.

Individuals would be able to use either the app or the Token in the initiative, although the app does come with additional features like letting users see their SafeEntry check-in history, and doing self-checks on if they had possible exposure to COVID-19.

Hacking via Bluetooth

First of all, the concern that the netizen in the screenshot has is legitimate, given that hacking operations done via Bluetooth are entirely possible and have been reported over the years. In 2017, a separate security firm discovered eight vulnerabilities in the technology that could also be used to spread malware among Android, iOS, and Windows devices.

Just a few days ago, it was also reported that a security researcher managed to steal a Tesla Model X via Bluetooth connection “in just a matter of minutes”.

Earlier in February, a Germany-based security firm ERNW also uncovered a bug in Android’s Bluetooth subsystem that can be exploited to hack a device. ERNW advised customers to only enable Bluetooth connectively when necessary, and also keep their connections “non-discoverable”.

Staying (cyber)safe

When we reached out for more information on the security measures that have been put in place for TraceTogether, the Smart Nation and Digital Government Group (SNDGG) said that TraceTogether “combines an innovative use of Bluetooth mobile technology, with a privacy-preserving protocol”.

SNDGG added:

“The app uses Bluetooth in a similar fashion to other Bluetooth devices like smart watches, speakers and other accessories. So long as your app and operating system are kept updated, the risk of vulnerabilities on the phone being hacked is low. TraceTogether also uses anonymised identifiers that are reset regularly to make it impossible for third parties to track users or obtain private information from the app.

In addition, all Bluetooth exchanges between TraceTogether devices are recorded and stored only on an individual’s device, in anonymised and encrypted form. They are only submitted to the Ministry of Health for contact tracing purposes if you agree to a request to upload that data.”

Therefore, while it is true that turning on your Bluetooth connection could expose you to the potential of being hacked, there are security safeguards that are actively being put in place. Individuals can also stay safe by keeping their phone operating system and apps updated regularly.

Leave a Reply