Amnesty’s Security Lab Finds Qatari Mandatory Contact Tracing App Exposed Sensitive Data Such Like Name and Location
Amnesty, in an un-bylined report:
The investigation by Amnesty Security Lab found Qatar’s EHTERAZ app requested a QR code from the central server by providing the national ID the user registered with. No additional authentication was required, so anyone could have requested a QR code for any EHTERAZ user.
The lack of authentication and the fact that Qatari national IDs follow a consistent format meant it was possible to automatically generate all possible combinations of national IDs and retrieve the sensitive data that EHTERAZ stores.
Before the authorities took action to address the vulnerability, sensitive personal information contained in the QR code included names in English and Arabic, location of confinement, as well as the name of medical facilities in which an individual diagnosed with COVID-19 is being treated. Last Friday, the authorities immediately took action to mitigate the exposure of data by stripping out names and location data. They subsequently released an update for the EHTERAZ app on Sunday which appears to add a new layer of authentication to prevent harvesting of data. While these changes appear to fix the issue, Amnesty International has been unable to verify whether these changes meet sufficient security standards.
This app is mandatory for everyone in Qatar, and its poor centralized design meant that highly sensitive information was trivial to look up. I remain stumped why Apple and Google chose to create the framework for decentralized systems that do not allow location data collection, contrary to the suggestions of the Washington Post.