Private information contained within the NHS mobile app that’s going to be used as a Covid vaccine passport when international travel returns could be accessed by hackers at airports if logged into on insecure Wifi networks. The Telegraph has the story.
Britons travelling abroad have been warned against using airport WiFi to log into the NHS app to their vaccine passports in case they hand over their health details to hackers…
Logging into the app and loading health data while on insecure WiFi networks could see hackers gain access to passwords as well as sensitive personal information about people’s health conditions.
Peter Yapp, a Schillings partner who was previously a Deputy Director at GCHQ’s National Cyber Security Centre, urged people not to rely on networks that can steal your data.
“Don’t access this, if at all possible, through WiFi connections that you don’t know anything about,” he said. “That just gives someone the opportunity to potentially get the data as it’s passing through.”
Hackers have used their own malicious public WiFi networks in the past to trick people into signing up for them and then stealing their information as it passes through.
“It has happened for a long, long time and it continues to happen,” said Matt Lock, a Director at cybersecurity business Varonis.
“There is nothing stopping anybody from walking into these public spaces and setting up their own public WiFi,” he added. “Then you’re in a situation where all your traffic is potentially being captured.”
Hackers can easily set up their own WiFi networks in public spaces, often with innocent-sounding names that mimic legitimate networks.
Once a victim logs on to a hacker’s network, all of their web traffic can be intercepted so that hackers can monitor which websites and apps are used.
They can also steal their login information including passwords and any data sent to their apps, including the health records shown in the NHS app.
The Government is said to be examining ways to export a vaccine passport into a “digital wallet” that can be accessed offline.
This is not the only example of a Government Covid app facing criticism over its security (or lack thereof). Last month, an update to the NHS Test and Trace mobile app was blocked by Apple and Google because it broke rules about the collection of location data.
The Telegraph report is worth reading in full.
To join in with the discussion please make a donation to The Daily Sceptic.
Profanity and abuse will be removed and may lead to a permanent ban.
The day that any Government or State IT project fulfils all the basic requirements of security, confidentiality, efficiency and workability has yet to come. As well as giving themselves a Snooper’s Charter, complete with multiple Cock-ups, they invite every other crook and swindler to join them in it. That may be because “it takes one to know one”.
And what Government digital idea has ever been fit for purpose on roll out ?
This is bullshit of the highest order. They don’t even want to employe immigration officers at airports – remember the passport is already chipped so you can swipe yourself through – to check everyone off every plane from everywhere in the world is impossible.
So there’s a way to keep your data safe when using an NHS app?
Ha ha bloody ha.
Technically, this article is bullshit. The app should (unless it is monumentally flawed) employ its own layer of encryption and validation to avoid simple WiFi attacks. If the app is not employing these measures then it is unsuitable for use in any environment.
It’s actually quiet easy to do. You set yourself up as a wifi hot spot and your victims come to you like fleas around shit. From that point you can sit in the middle and the world is your oyster. I did a hackers course that showed you to do this.
No. You can do that type of attack against unencrypted traffic like HTTP or SMTP. A sophisticated attack could potentially get around simple SSL encryption. You cannot do this with properly validated SSL traffic unless you also have a compromised trusted certificate.
Either it was a “hackers course” in 1986 or the worst value for money course in the world.
Intercepting packets is simple enough. The problem is you cant DO anything with those packets as they’re end-end encrypted and have been for years.
You’ll end up with a lot of data, none of which is useful.
Being the pedant I am, isn’t it flies that like shit? Thought fleas were blood suckers. Mind you these people (and Governments) are blood suckers. We’re just suckers.
Exactly. No idea how apple approval works but im assuming its similar, Google won’t authorise a play store app unless its using a secure backend. SSL or similar transfer layer.
The fact the app IS approved shows its using secure transport.
Nothing like a secure backend. Sorry schoolboy humour! 😀
Was about to say the same thing, as long as SSL is applied correctly, all anyone sniffing the network traffic will see is (already public) URLs and some common meta-data.
Now, Government IT projects aren’t synonymous with ‘applied correctly’ but this is basic stuff.
What is concerning is that a spook from GCHQ thinks this is a problem.
So many knee jerk reactions from the government seem to roll out an endless stream of unintended consequences.
Paper vaccine certificate in my passport will do me fine.
Nope: that is just the thin end of the wedge!
Great. Another troll, just what we needed. At least this one has a fitting name.
Could be the same troll just changed his/her name for fun.
We’re counting on it