Qatar: Contact tracing app security flaw exposed sensitive personal details of more than one million

Serious security vulnerabilities in Qatar’s mandatory contact tracing app, uncovered by Amnesty International, must act as a wake-up call for governments rolling-out COVID-19 apps to ensure privacy safeguards are central to the technology. 

An investigation by Amnesty’s Security Lab discovered the critical weakness in the configuration of Qatar’s EHTERAZ contact tracing app. Now fixed, the vulnerability would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status and location data of more than one million users.

While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited.

Claudio Guarnieri, Head of Amnesty International’s Security Lab.

Amnesty alerted the Qatari authorities to the vulnerability shortly after making the discovery on Thursday 21 May. The authorities acted swiftly to fix the weakness by the end of Friday 22 May.

“While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited. This vulnerability was especially worrying given use of the EHTERAZ app was made mandatory last Friday,” said Claudio Guarnieri, Head of Amnesty International’s Security Lab.

“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards. If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights.”

Currently more than 45 countries have, or plan to, rollout COVID-19 contact tracing apps. Amnesty International is concerned that governments around the world, including Australia, France, Italy, the Netherlands and the UK, are rushing to embrace digital tools which undermine privacy, have not yet been proved to be effective, and could put individuals’ security at risk.

EHTERAZ was developed by Qatar’s Ministry of Interior and uses GPS and Bluetooth technology to track COVID-19 cases. The app, like many being introduced, remains highly problematic due to its lack of privacy safeguards. Sensitive personal information continues to be uploaded to a central database and the authorities can enable real-time location tracking of users at any time.

All governments must ensure contact tracing apps remain entirely voluntary and in line with human rights.

Claudio Guarnieri, Head of Amnesty International's Security Lab

Last Friday, it became compulsory to download and use the app, which has been downloaded more than one million times from the Google Play Store alone. People who do not use the app could face up to three years in prison and a fine of QR200,000 (approx. US$55,000). 

“The Qatari authorities must reverse the decision to make use of the app mandatory, and all governments must ensure contact tracing apps remain entirely voluntary and in line with human rights,” said Claudio Guarnieri.

Amnesty International’s Security Lab was able to access sensitive information, including people’s name, health status and the GPS coordinates of a user’s designated confinement location, as the central server did not have security measures in place to protect this data.

While Amnesty International recognizes the efforts and actions taken by the government of Qatar to contain the spread of the COVID-19 pandemic and the measures introduced to date, such as access to free healthcare, all measures must be in line with human rights standards.

The vulnerabilities were uncovered as part of a wider global analysis of contact tracing apps, aimed at assessing their human rights compliance.

Contact tracing is an important component of effective pandemic response, and contact tracing apps have the potential to support this objective. However, in order to be consistent with human rights obligations, these apps must build in privacy and data protection by design, meaning any data collected must be the minimum amount necessary, and securely stored. All data collection must be restricted to controlling the spread of COVID-19 and should not be used for any other purpose – including law-enforcement, national security or immigration control. It must also not be made available to any third party or for commercial use. Any individual decision to download and use contact tracing apps must be entirely voluntary.

Background

The investigation by Amnesty Security Lab found Qatar’s EHTERAZ app requested a QR code from the central server by providing the national ID the user registered with. No additional authentication was required, so anyone could have requested a QR code for any EHTERAZ user.

The lack of authentication and the fact that Qatari national IDs follow a consistent format meant it was possible to automatically generate all possible combinations of national IDs and retrieve the sensitive data that EHTERAZ stores.

The app’s QR code has a colour system. If red, this indicates the user’s health status is “Confirmed” (supposedly they have been diagnosed with COVID-19). If yellow, the user is marked as “In Quarantine”. If grey, the user is ” Suspected”. If the QR code is green the user is marked as “Healthy”.

Before the authorities took action to address the vulnerability, sensitive personal information contained in the QR code included names in English and Arabic, location of confinement, as well as the name of medical facilities in which an individual diagnosed with COVID-19 is being treated. Last Friday, the authorities immediately took action to mitigate the exposure of data by stripping out names and location data. They subsequently released an update for the EHTERAZ app on Sunday which appears to add a new layer of authentication to prevent harvesting of data. While these changes appear to fix the issue, Amnesty International has been unable to verify whether these changes meet sufficient security standards.