Who woulda thunk it? It turns out Qatar’s coronavirus contact tracing app, which the country madecompulsory to installfor residents last week, has glaring security holes.
Amnesty‘s Security Labsfounda critical vulnerability in the software — dubbed Ehteraz — which would have allowed attackers to obtain tons of highly sensitive personal information, including the name, national ID, health status, and location data of more than 1 million users.
Fortunately, the issue has since been patched after Amnesty informed the Qatari government of the potential threat on May 21. The authorities responded promptly, releasing a fix on May 22.
“While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited,” said head of Amnesty‘s Security Labs, Claudio Guarnieri.“This vulnerability was especially worrying given use of the Ehteraz app was made mandatory last Friday.”
Amnesty’s investigation found that Ehteraz requested a QR code from a central server by providing a user’s national ID. Since no authentication was required, anyone could have requested a QR code for any Ehteraz user. This, in turn, would’ve made it possible to generate all possible ID combinations and retrieve all data the app stores.
“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards,” Guarnieri added. “If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights.”
Although Ehteraz was initially optional to install, Qatar later made it mandatory for all citizens to install the app when going outside — orface up to three years in prison and up to $55,000 in fines. Many protested the decision, citing concerns about the amount of data the app was collecting.
It turns out they had every right to be worried.