Are Covid test QR codes a security risk?
The CEO of British technology company VST Enterprises Ltd (VSTE) has warned the UK Government of potential serious flaws in the security of personal data used in the contact tracing app announced by Secretary of State for Health Matt Hancock.
Louis-James Davis has stated that QR code scanning technology - which underpins the government's contact tracing app - is flawed because its reliance on the codes means it can be subject to a process called “Attagging” or cloning.
“Attagging” is where a real QR code is replaced by a cloned one, which then redirects the person scanning that code to a similar website where personal data can be intercepted and breached. This is done without most users able to notice that the website's domain name has changed.
Now Louis-James Davis and a consortium of other companies have written to the government to highlight the serious risks QR code technology poses to users. The letter also contained details of VSTE's own testing solution : a test that instead of QR codes uses end-to-end encryption with closed loop technology, which they say creates 300 million code variations per person on the planet, making the data unhackable.
So is scanning QR codes really that risky? Last year the creator of the QR code himself, Masahiro Hara, expressed concerns over security, saying that the technology needed a revamp to protect people's personal information.
A recent study by US software company MobileIron concluded that it's only a matter of time before attacks via QR codes become commonplace, given how easily a malicious URL containing custom malware can be embedded in the code. As well as directing users to phishing sites encouraging them to divulge personal details, the malware could extract data from mobile devices when scanned.
MobileIron's research found that 71% of respondents cannot distinguish between a legitimate and malicious QR code. Meanwhile 51% of respondents have privacy, security, financial or other concerns about using QR codes, but use them anyway.
“We have highlighted the serious security flaws of using QR codes in healthcare and ID technology in our proposal and plan submitted to the government" Davis, CEO of VSTE said. "When you are dealing with the public’s personal information and private data, security is of paramount importance and crucial to public confidence.
“Essentially QR codes can be cloned and redirected to other information points or websites. Often criminals and hackers will exploit this by putting a fake QR code over a genuine QR code. So a QR code for example on scanning would link to the genuine website www.similardomain.com but a fake QR code can be made up, printed off and placed over the genuine code to redirect to www.similar-domain.com. At this point the member of the public is tricked into entering their personal information, private data and financial information. The rogue website looks and feels exactly like the genuine one and is made to mirror it precisely.”
Zoom enters the healthcare market - a timeline
Since the pandemic began Zoom has become an integral part of daily life for people working from home, as well as a vital tool for families and friends to communicate. However it's also been eyeing up the healthcare space since 2017, and following the boom in telehealth the company has been rolling out additional services. Here we chart Zoom's move into healthcare.
2011 - 2013
Zoom is founded in San Jose, California, by Eric Yuan, formerly of Cisco. He got the idea to create a video calling platform from his visits to his girlfriend while he was a student, which would take 10 hours by train.
A beta version is released in 2012, which can host up to 15 participants. In 2013 this rises to 25. By mid-2013, Zoom has 1 million users.
2014 - 2017
Zoom attracts investors, including Sequoia Capital, Emergence and Horizon Ventures. By January 2017, Zoom has a series D funding worth $100 million.
2017 - 2019
Zoom for Telehealth launches, including an integration with EHR system Epic. It has cloud-based video, audio, and content sharing features, a "waiting room" for patients, and can easily be integrated into healthcare provider's workflows.
In 2019 Zoom goes public, with its IPO rising 72% in one day.
As a result of the pandemic, Zoom gains 2.2 million new users, more than in the whole of 2019. On the 23rd of March alone - the day the UK lockdown was announced - the platform was downloaded 2.13 million times around the world.
Share prices rise to around $150, and founder and chief executive Eric Yuan becomes one of the world's richest people, with an estimated net worth of $7.9 billion.
Early security issues are addressed by encrypting data with the Advanced Encryption Standard (AES). By now the the platform allows 99 people to be on a call simultaneously
New features launch, including Zoom Home and Zoom for Chats. Throughout the year the platform is used to replace most kinds of real life events: work meetings, online classrooms, church services and social events.
Renamed Zoom for Healthcare, users can share secured video, audio, and content through desktops, mobile phones, and conference devices. As well as Epic, it can be integrated with Strmr, IntakeQ, and Practice Better.
It can also be used with diagnostic cameras and other point-of-care devices, including digital stethoscopes.
In an interview with Korea Biomedical Review, Zoom Global Healthcare Lead Ron Emerson said: "Our service is not simply a virtual care and telemedicine platform but a multi-purpose platform that can satisfy the needs of healthcare institutions."
"It can be used for administrative tasks, including telemedicine, medical team meetings, recruitment, medical education, employee training, and disease prevention. Analysing electronic records managed by Zoom could provide meaningful insights into patient care."
Phoenix Children's Hospital, Belfast's Hospital Services Limited, Butler Health Services and the global Project ECHO are among Zoom for Healthcare's current customers.