Sign in Register
Posted On: 26 May 2020 06:25 pm
Updated On: 26 May 2020 09:34 pm

Qatar's EHTERAZ app flaw fixed after Amnesty reported risk [UPDATE]

Paper Boy
Paper Boy
Discuss here!
Start a discussion
Ehteraz-app-cover

UPDATE: 7:27 pm

The Ministry of Public Health has posted an update to the news below on its Twitter page stating that the Ehteraz app’s user privacy and platform security are of the utmost importance. A comprehensive update of the app rolled out on Sunday 24 May with expanded security and privacy features for all users. These updates are part of the continuous work to review and improve the app's security, including issues brought to our attention by third party groups.

-----------------------------------------------------------

6:25 pm

As everyone knows by now, the authorities made it mandatory for all citizens and residents to use the Ehteraz application. To register, users needed to enter their name, number and Qatari ID number. The app also requires access to phone features such as Bluetooth and Location tracking for it's warning system; that let's users know if they're in close contact with someone who's been found positive or been in an area where someone was positive.

Amnesty International reported that they uncovered security vulnerabilities, that if exposed, would have released the personal data of over a million people who have downloaded and installed the app. Fortunately in this case, Amnesty reached out to the authorities and it's been reported that the vulnerabilities have been fixed.

A recent investigation by Amnesty’s Security Lab discovered significant weakness in the configuration of Qatar’s EHTERAZ contact-tracing app, which has been developed by the Ministry of Interior using GPS and Bluetooth technology to track COVID-19 cases.

Since the app is mandatory, it's critical that the systems behind the application have the highest levels of security. At the moment, it's not a choice, all citizens and residents have to enable the application when leaving the home. People who do not use the app can face up to three years in prison. The app uses a colour-coded “QR” system - if red, a user’s health is “Confirmed” (supposedly having been diagnosed with COVID-19); if yellow, the user is “In Quarantine”; if grey, the user is “Suspected”; and if green the user is “Healthy”.

So what was one of the way's people's data was shared? The QR code included sensitive personal information such as names (in English and Arabic), the location of confinement and of treatment. Amnesty was able to access sensitive personal information - including names, health status and GPS coordinates of a user’s designated confinement location - as the app’s central server did not have security measures to protect such data.

While Amnesty acknowledges efforts made by the government of Qatar to contain the spread of the coronavirus (COVID-19) pandemic - including access to free healthcare - all measures must be in line with human rights standards.

Claudio Guarnieri, Head of Amnesty International’s Security Lab, said:

“While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact-tracing app that malicious attackers could have easily exploited.

“This vulnerability was especially worrying given use of the EHTERAZ app was made mandatory last Friday.

“This incident should act as a warning to governments around the world rushing out contact-tracing apps that are too often poorly designed and lack privacy safeguards.

“If technology is to play an effective role in tackling the virus, people need to have confidence that contact-tracing apps will protect their privacy and other human rights.

“The Qatari authorities must reverse the decision to make use of the app mandatory, and all governments must ensure contact-tracing apps remain entirely voluntary and in line with human rights.”

How the security alert unfolded

Amnesty alerted the Qatari authorities to the app’s vulnerability shortly after making the discovery on 21 May, with the authorities acting to fix the weakness by the end of 22 May.

When alerted to the privacy failings, the Qatari authorities stripped out names and location data. Then, on Sunday, the authorities released an update to the app that adds a new layer of authentication to prevent data harvesting. While these changes appear to fix the issue, Amnesty has been unable to fully verify whether they have.

Sensitive personal information continues to be uploaded to a central database and the authorities can enable real-time location tracking of users at any time.

UK among countries seeking to use similar apps

The UK is also in the process of introducing a contact-tracing app for coronavirus (COVID-19) based on a controversial central database model, something Amnesty has questioned on human rights grounds.

The UK and Qatar are among more than 45 countries currently using - or intending to use - coronavirus (COVID-19) contact-tracing apps. Vulnerabilities in Qatar’s app were uncovered as part of Amnesty’s global analysis of such apps aimed at assessing their human rights compliance.

Contact tracing is an important component of effective pandemic response, and contact-tracing apps have the potential to support this objective. However, in order to be consistent with human rights obligations, these apps must incorporate privacy and data protection by design, meaning any data collected must be the minimum amount necessary and securely stored. Data collection must be restricted to controlling the spread of coronavirus (COVID-19) and should not be used for any other purpose - including law-enforcement, national security or immigration control. It should not be made available to any third party or for commercial use. Any individual decision to download and use contact-tracing apps must be entirely voluntary.

This is a wake up call

It is the responsibility of all individuals, companies and organizations to invest in security measures to protect user and customer data. We've seen Sony have a data breach of Playstation ID's, Banks lose customer information, and giant corporations fall victim to cyber attacks. Qatar itself is host to the Cyber Security forums and a common discussion point is the importance of investing in security software, hardware, and specialists.

It's equally the responsibility of organizations to notify their users of any breaches in addition to any 'potential' breaches. It's the only way to make sure that people can also protect themselves. App developers should also only be requesting access permission for services that are essential.

One useful website is https://haveibeenpwned.com/, by entering your email address, you'll be able to see if your information has been potentially leaked anywhere so that you can act fast and change your passwords.

Stay safe everyone.

Source: Amnesty International Press Release