365体育备用

Latest in Gear

Image credit: Valery Sharifulin via Getty Images

Qatar’s contact tracing app put over one million people’s info at risk

Authorities have fixed the flaw in the mandatory app.
Christine Fisher,
May 26, 2020
141 Shares
Share
Tweet
Share

Sponsored Links

DOHA, QATAR - DECEMBER 11, 2017: A Muslim man talks on the phone at Villaggio Mall. Valery Sharifulin/TASS (Photo by Valery Sharifulin\TASS via Getty Images)
Valery Sharifulin via Getty Images

Contact tracing apps have the potential to slow the spread of COVID-19. But without proper security safeguards, some fear they could put users’ data and sensitive info at risk365体育备用. Until now, that threat has been theoretical. Today, reports that a flaw in Qatar’s contact tracing app put the personal information of more than one million people at risk.

The flaw, now fixed, made info like names, national IDs, health status and location data vulnerable to cyberattacks. Amnesty’s Security Lab discovered the flaw on May 21st and says authorities fixed it on May 22nd. The vulnerability had to do with QR codes that included sensitive info. The update stripped some of that data from the QR codes and added a new layer of authentication to prevent foul play.

Qatar’s app, called EHTERAZ, uses GPS and Bluetooth to track COVID-19 cases, and last week, authorities made it mandatory. According to Amnesty, people who don’t use the app could face up to three years in prison and a fine of QR 200,000 (about $55,000).

“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards. If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights," said Claudio Guarnieri, head of Amnesty International’s Security Lab.

For contact tracing apps like EHTERAZ to work, they need -- Amnesty says mandating the apps is not the right approach. Security blunders like this one could discourage people from using the apps and undermine efforts to slow the spread of the virus.

Qatar’s misstep may encourage more countries to adopt the Apple-Google model365体育备用. The “decentralized” API stores sensitive info in users’ phones, rather than a centralized server. It uses Bluetooth to exchange keys and it doesn’t gather location data. While the Apple-Google API can’t identify users, the apps that use the API may be able to. So security and privacy policies should be examined on an app-by-app basis. Hopefully incidents like this will remain rare.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
141 Shares
Share
Tweet
Share

Popular on Engadget

Potential NASA mission would explore Neptune's moon Triton

Potential NASA mission would explore Neptune's moon Triton

View
Almost a fifth of Earth's ocean floor has been mapped

Almost a fifth of Earth's ocean floor has been mapped

View
Twitch has suspended Donald Trump's account

Twitch has suspended Donald Trump's account

View
Twitch bans Dr Disrespect over violation of community guidelines

Twitch bans Dr Disrespect over violation of community guidelines

View
Apple Watch Series 3 discounted to its lowest ever price on Amazon

Apple Watch Series 3 discounted to its lowest ever price on Amazon

View

From around the web

Qatar’s contact tracing app put over one million people’s info at risk | Engadget Qatar’s contact tracing app put over one million people’s info at risk | Engadget Qatar’s contact tracing app put over one million people’s info at risk | Engadget Qatar’s contact tracing app put over one million people’s info at risk | Engadget Qatar’s contact tracing app put over one million people’s info at risk | Engadget Qatar’s contact tracing app put over one million people’s info at risk | Engadget Qatar’s contact tracing app put over one million people’s info at risk | Engadget