A number of vulnerabilities in the Vietnamese government savory application that understand 'what should be noted in development to protect privacy' with the development of a new corona tracking system
Apple and Google have
Vietnam's contact tracing app broadcasting a fixed ID
https://vnhacker.blogspot.com/2020/04/vietnams-contact-tracing-app_26.html
Bluezone is an application developed by the Vietnamese government led by a domestic IT company and the Ministry of Information and Communications of Vietnam to track the contact status of people infected with the new coronavirus infection.At the time of article creation, 24,000 people were used. There is a person. Thai was interested in Bluezone and offered to help with the development, but he said he didn't receive any information about the app. The developer had pledged to release the source code of the application, but since the source code was not released at the time of release of the application, Thai said that as a result of reverse engineering the application, multiple vulnerabilities were discovered. I am.
As the first vulnerability, Thai pointed out that Bluezone assigns a fixed ID to each terminal that installed the application and broadcasts that ID to other terminals. According to Thai's investigation, Bluezone is the only new coronavirus tracking system with a specification to broadcast a fixed ID. The developer of Bluezone argued that 'the MAC address of Bluetooth is also fixed to the terminal and is broadcast to other terminals in the same way,' Mr. Thai said, 'In the case of Bluetooth, the detection function is turned off By doing so, you can stop broadcasting the MAC address, and Bluetooth Low Energy has a randomized MAC address. ”
The second vulnerability is the predictability of fixed IDs. Thai estimates that Bluezone is generating the ID by inputting the current date and time into the
The third vulnerability is that the ID is too short. Since the length of ID is only 36 6 to 2 31 digits, it will be calculated that ID collision will occur if more than 65,000 people use it. Considering the rate of increase in users, Thai predicts that this collision will cause a situation where two users will share the same ID within the next two weeks, which will cause malfunctions that share infection information. The developer says that ID collisions do not occur, but Thai says that there is no such mechanism from the result of reverse engineering the Android application.
As the fourth vulnerability, the Android application requests access to external storage to save the detected other device's ID and Bluetooth MAC address, but the request item also accesses photos and media. The points included are listed. In this regard, the developer replies that the request for external storage is appropriate.
Mr. Thai received an email from the person in charge of the development requesting that he helped improve the application, and he said that he would be happy to help by publishing the source code on GitHub. The source code of Bluezone was released on GitHub on April 26, 2020, probably because of Thai's efforts.
GitHub-BluezoneGlobal / bluezone-app: Bluezone-Ba ̉o vệ mi ̀nh, ba ̉o vệ cộng đồng
https://github.com/BluezoneGlobal/bluezone-app
Related Posts: