Portugal: cybersecurity student detects bug in exposure notification apps

Henrique Faria, a student at the Higher School of Technology and Management at the Polytechnic (IPVC) of Viana do Castelo in Northern Portugal, detected a bug affecting all digital contact tracing applications adopting the Google and Apple "exposure notification" framework (GAEN) while researching for his Master's thesis on cybersecurity.

According to a note by the IPVC the vulnerability, identified as "advertising overflow", "allows an attacker to interrupt the GAEN Bluetooth transmission with a malicious application installed on the same device". This means that "any user confirmed to be infected and who sends their data so that other users can check if they have been exposed, will not trigger any exposure warning".

The bug, detected by Faria with the help of professors Mayia Pedro Pinto and Sara Paiva, has been recognised by Google and both the student and his professors also received an honorable mention from the company.

Even though "very proud to work in an investigation with national and international impact", prof. Pinto told News Maia that he believes that there was some “devaluation of the failure”. Prof. Pinto doesn't even know whether the vulnerability will ultimately be repaired, as a result of the “low adherence to the Covid-19 tracking applications”, writes News Maia.

Including Portugal's own exposure notification app, StayAway Covid. The app has been downloaded nearly 3 million times in its first four months after launch, in September 2020: this means approximately 30% of the population. Some 12,050 codes for COVID-19 infections have been generated by Portuguese health authorities since then, of which users introduced 2,804 in the app. Portugal recorded over half a million infections during the same period.