Pardon the Intrusion #16: Phishing in the time of COVID-19

Subscribe to this bi-weekly newsletter here!

Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.

Since COVID-19 began spreading all over the world, governments have embraced a variety of invasive contact-tracing measures via smartphones. Now Apple and Google have teamed up in a rare joint effort to do just that while possibly still preserving the privacy of individuals who use them.

A few weeks ago they proposed an opt-in automated system which will use Bluetooth-based identifiers to keep track of whether a smartphone’s owner has come into contact with someone who is later positively diagnosed with coronavirus.

Most importantly, it will be interoperable between the two dominant smartphone platforms — Android and iOS — and will turned off on a region-by-region basis when the pandemic is over.

The project — influenced by similar proposals from researchers at Carnegie Mellon (NOVID), MIT (Private Kit: Safe Paths), Stanford (COVID Watch), and TCN Coalition — is an important step because it makes zero use of location data. (This, however, doesn’t prevent apps using Google and Apple’s API from asking for your location data anyway.)

While it’s clear that the upcoming system has some privacy advantages, it’s essential that it doesn’t collect any information it shouldn’t and stores as much data as possible on the user’s device rather than in a central server.

Similar debates around Bluetooth tracking are taking place in Europe too, including approaches such as Decentralized Privacy-Preserving Proximity Tracing (DP3T) and Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT).

Digital contact tracing for tackling COVID-19 is far from perfect and ready for prime time, but the plan is to automate the process and hopefully lay the groundwork for something that could be useful against similar health emergencies in the future.

But even with this Bluetooth tech, there are still some hurdles: It would need a widespread adoption and people would have to “trust” the system enough to share their proximity data and infection status. Plus, such solutions may not adequately account for the potential abuse and the risk of false positives, or the possibility of a correlation attack.

“I suspect the tracing apps are really just do-something-itis,” security researcher Ross Anderson said.

Yet there’s a paradox here. If the app is voluntary, nobody really has an incentive to use it, and the efficacy of contact tracing becomes extremely limited. On the other hand, if it’s made compulsory in workplaces, schools, universities, and grocery stores, it could easily defeat the opt-in nature of the system — thus inadvertently feeding the mass surveillance system it was meant to stop.

After all, it’s impossible for Apple and Google to go after businesses and governments and stop them from forcing it on the society at large. This is an ethical dilemma that neither seem to be addressing as yet.

What’s trending in security?

Google is blocking more than 18 million malware and phishing emails related to COVID-19 daily, with over 240 million COVID-related spam messages filtered daily. Security firm Carbon Black said ransomware attacks against corporations it monitored jumped 148% in March from the previous month. In a piece of good news, Jitsi, the open-source video calling platform, said it’s working on end-to-end encryption.

Data point

That’s it. See you all in two weeks. Stay safe!

Ravie x TNW (ravie[at]thenextweb[dot]com)