Srsly Risky Biz: Apple, Google to bring COVID-19 contact tracing to billions

The Risky Biz newsletter for April 14, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at

Apple and Google have answered a call from policy makers to build a consent-based contact tracing tool for Android or iOS devices.

The two organisations will release OS updates in mid-May that allow health authorities to use ‘contact detection’ APIs developed by Apple and Google to launch multi-platform contact tracing apps.

Under the published design, if two users of these apps have been in close proximity for a designated period of time, their devices exchange a set of identifiers (ephemeral ‘tracing keys’) via Bluetooth Low Energy (BLE). Storage of these anonymised identifiers is decentralised - stored only on user devices.

Users who discover they are COVID+ use the app to provide health authorities consent to flag their infection (store a ‘diagnosis key’) on a remote server for 14 days. The server is in turn polled intermittently by all other users of the apps to check for a match between the keys stored on their device (who they have been in contact with) and COVID+ keys on the server (known positive infections). If there is a match, the local health authority can determine a process for validating it and identifying at-risk users.

Apple and Google representatives told Risky.Biz that the servers can be hosted by health authorities, or by Apple and Google if the authorities choose.

A second phase of the project will bake the contact tracing functions directly into the iOS and Android operating systems. Users will be prompted by the OS, seeking consent to begin storing proximity data. The user will only need to download an app if they test positive to COVID-19 or if they are notified by a health authority that they have been in close proximity with an infected person.

The system design nonetheless provides the tech companies visibility into whether the technology is being abused by a government - and a means to switch it off for users in a given region. The two companies promised to make it transparent to users whether the capability is running or not.

The app does not need to collect location data to be effective - at least, not without significant cooperation by other users in a person’s immediate proximity - and requires no ongoing user interaction. In doing so, it harnesses the best privacy attributes of academic efforts such as MIT’s PrivateKit and Pepp-PT, while delivering to a potential user base of over 3 billion people.

The mobile OS giants published the Bluetooth, API and crypto specifications proposed for the system to invite academic scrutiny.

So far, the most pressing concerns with the app have little to do with its cryptographic properties. Cambridge University’s Ross Anderson prefers contact tracing to be an expensive, manual proposition for health authorities - as a disincentive for surveillance to persist after the epidemic is long over. Bruce Schneier agrees. But ultimately a cryptographer’s opinions on epidemiology are far less instructive than those of the public health officials and epidemiologists consulted for the project. An Oxford University study into the potential impact of digital contact tracing on COVID-19 - conducted by actual epidemiologists - is cautiously optimistic.

There big question is whether an opt-in system can get enough coverage of the population to work. Even at 1 million downloads (18% adoption), Singapore’s TraceTogether contact tracing app failed to prevent a resurgence in infections. Apple and Google concede that the apps need over 50% adoption within a given area to be effective.

Adoption could be assured if combined with the right incentives: health authorities or local counties could potentially use the technology to prioritise access to testing or determine whether to relax lockdown restrictions in a given area.

China Telecom sent to the naughty corner

The Trump administration has urged the telecommunications regulator (FCC) to terminate China Telecom (Americas) authorisation to carry traffic to and from the United States, claiming that China’s largest telco is “vulnerable to exploitation, influence and control by the PRC Government”.

China Telecom has 227 million mobile subscribers and 135m broadband subscribers across the globe. China Telecom Americas is the telco’s largest subsidiary outside of China. It offers MPLS services to connect clients inside the United States to mainland China.

The FCC prohibited China Mobile from providing services in the US in mid-2019.

In related news, the Department of Justice also ruled this week that Google and Facebook are permitted to build a high-speed internet link (the Pacific Light Cable Network) to Taiwan, but could not connect directly to Hong Kong, as the project originally intended.

Google finds itself in a tough position - it has co-invested with China Telecom and China Mobile in several submarine projects across Asia, and is listed alongside China Telecom and China Mobile as three of the six joint shareholders in the FASTER cable system that connects Taiwan to Oregon, USA.

It remains unclear if the proposed ban should be viewed through a national security lens or as another escalation in the US-China trade war. In any case, enjoy this China Telecom Americas infographic on BGP hijacking before we lose it forever.

US State Governors urged to avoid internet voting

Sixty of America’s top cyber security researchers have penned an open letter to the governors of every US State urging them not to use mobile voting apps or any other internet-connected devices for the November 2020 election.

The letter was signed by luminaries including Matt Blaze (Georgetown), Steve Bellovin (Columbia), Vint Cerf, Ronald Rivest (MIT), Daniel Weitzner (MIT), Ed Felton (Princeton), Susan Landau (Tufts University) and Bruce Schneier (Harvard Kennedy School).

Mobile voting lobby group Tusk claims that at least two states will join West Virginia in piloting mobile voting apps in November.

Risky Business published a two-part series on the subject late last month:

Patch your vCenter

VMware has released a patch for an information disclosure bug in its vCenter management software that scores a perfect CVSSv3 severity score of 10.

The vulnerability in the VMware Directory Service (vmdir) would allow an attacker that has compromised your internal network to bypass vCenter authentication and take control of all virtual machines in your private cloud that vCenter is configured to manage.

The bug only impacts systems upgraded from version 6.0 or 6.5 to the latest version (6.7). A patch was released on April 9.

Gaming firm drops $30m, mid-acquisition

Online gaming company SBTech has agreed to set US$30 million aside in escrow from the US$600m DEAC agreed to pay to acquire the company, in order to cover anticipated costs from a ransomware attack that crippled SBTech earlier this year.

DEAC is setting aside a further US$70 million should costs escalate further. If all of these funds were exhausted, the attack would have wiped 15% off the agreed value of SBTech.

For historical comparison - Verizon’s purchase of Yahoo was downgraded by 7% (US$350m) in 2017 after two data breaches were unearthed mid-way through the acquisition.

Another Maersk?

The online portal of the world’s second-largest shipping line, Mediterranean Shipping Company, has been down for three days after a network outage in its Swiss data centre, and the company says it “cannot rule out entirely the possibility of malware”.

Maersk, the world’s largest shipping line, was a victim of the NotPetya destructive malware attack in 2017, which cost the company over US$300m.

Malware gangs target security researchers

Bleeping Computer reports that destructive malware (MBRLocker) is being distributed via software cracking sites that purports to be authored by a prominent threat researcher after locking up infected Windows devices.

The malware presents a message that doxes Vitali Kremez - an analyst for AV vendor Sentinel One - who openly publishes his research online.

Kremez wouldn’t be the first security researcher to be targeted by malware gangs - in last week’s podcast we discussed that 15,000+ ElasticSearch instances were wiped by an actor seeking to pin their activities on a threat research group. Cybercrime researcher and journalist Brian Krebs has also been targeted in the past with swatting and DDoS attacks.

Still, it could be worse. Being doxed by a criminal gang is better than being thrown off a bridge.

Three reasons to actually be cheerful this week:

  1. A brimful of PCAPs: Brim Security has released the source code of its desktop app - which helps blue teams analyze large PCAP files. It’s getting a lot of love on Github.

  2. Spot persistence on Macs: A rewrite of Patrick Wardle’s BlockBlock tool has also been released under open source licensing. The tool monitors the internals of Macs running the Catalina OS to alert admins when new processes are added to known locations for attacker persistence.

  3. A new SMS OTP standard: Google has backed an Apple initiative to standardise the format of one-time passwords sent over SMS which promises to make them harder to spoof.


Correction to ‘SFO airport attack’ item: We have since learned from ESET that the SFO attackers were harvesting Windows/NTLM credentials of SFO staff. ESET attributed the activity to Russia-linked Energetic Bear.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at