Are Covid test QR codes a security risk?
The CEO of British technology company VST Enterprises Ltd (VSTE) has warned the UK Government of potential serious flaws in the security of personal data used in the contact tracing app announced by Secretary of State for Health Matt Hancock.
Louis-James Davis has stated that QR code scanning technology - which underpins the government's contact tracing app - is flawed because its reliance on the codes means it can be subject to a process called “Attagging” or cloning.
“Attagging” is where a real QR code is replaced by a cloned one, which then redirects the person scanning that code to a similar website where personal data can be intercepted and breached. This is done without most users able to notice that the website's domain name has changed.
Now Louis-James Davis and a consortium of other companies have written to the government to highlight the serious risks QR code technology poses to users. The letter also contained details of VSTE's own testing solution : a test that instead of QR codes uses end-to-end encryption with closed loop technology, which they say creates 300 million code variations per person on the planet, making the data unhackable.
So is scanning QR codes really that risky? Last year the creator of the QR code himself, Masahiro Hara, expressed concerns over security, saying that the technology needed a revamp to protect people's personal information.
A recent study by US software company MobileIron concluded that it's only a matter of time before attacks via QR codes become commonplace, given how easily a malicious URL containing custom malware can be embedded in the code. As well as directing users to phishing sites encouraging them to divulge personal details, the malware could extract data from mobile devices when scanned.
MobileIron's research found that 71% of respondents cannot distinguish between a legitimate and malicious QR code. Meanwhile 51% of respondents have privacy, security, financial or other concerns about using QR codes, but use them anyway.
“We have highlighted the serious security flaws of using QR codes in healthcare and ID technology in our proposal and plan submitted to the government" Davis, CEO of VSTE said. "When you are dealing with the public’s personal information and private data, security is of paramount importance and crucial to public confidence.
“Essentially QR codes can be cloned and redirected to other information points or websites. Often criminals and hackers will exploit this by putting a fake QR code over a genuine QR code. So a QR code for example on scanning would link to the genuine website www.similardomain.com but a fake QR code can be made up, printed off and placed over the genuine code to redirect to www.similar-domain.com. At this point the member of the public is tricked into entering their personal information, private data and financial information. The rogue website looks and feels exactly like the genuine one and is made to mirror it precisely.”