The Hong Kong government’s COVID-19 contact-tracing app contains serious security risks that could jeopardize the privacy of users’ personal information, an independent audit revealed.
The U.S. government-funded Open Technology Fund hired Poland-based cybersecurity firm 7ASecurity in July to conduct an audit of the “Leave Home Safe” mobile app, which found eight security vulnerabilities and four weaknesses in the software.
Similar to mainland China’s color-coded health app, Leave Home Safe tracks the user’s movements, and thereby determines people’s exposure to COVID-19 risks.
The Hong Kong version uses red, amber, and blue codes, while the mainland adopts a red, yellow, green system, with blue and green respectively indicating the lowest risk. Only those with a blue or green code are allowed to use public transportation or enter public venues.
Open Technology Fund on July 24 released a 55-page report (pdf) about the Hong Kong app, which pointed out that 12 security and privacy flaws were spotted, of which three were classified as critical or high-level vulnerabilities.
One of the identified vulnerabilities was that the app failed to validate certificates correctly, which allows malicious attackers to intercept traffic between the app and its backend servers.
“For example, an attacker could intercept the login to the Hong Kong Health Code System and gain access to the Hong Kong Identity Card ID and password of the user,” the report noted.
7ASecurity also found that the Android app stores COVID-19 vaccination and test status images in the mobile device’s SD card, when the user attempts to import such QR Codes from safer locations, such as Google Drive.
“This finding is concerning because the Android SD Card is an inappropriate location for sensitive data. For example, an unskilled thief could extract the SD Card and plug it into a computer to read this data, without having to know the PIN or unlock pattern,” the report said.
Moreover, due to a logic flaw, a malicious attacker who has accessed an unlocked phone, could obtain the user COVID-19 vaccination and test status by simply tapping through screens, and bypassing PIN or fingerprint authentication requirements.
In mainland China, there have been a number of incidents in which citizens at odds with the authorities are punished by assigning them a red health code, so that they are unable to leave home.
In central China’s Henan Province, a group of bank customers complained that their savings at local rural banks had been frozen since April. As they travelled to the capital city of Henan to seek redress for their losses, the provincial authorities turned their health codes to red, so they were unable to continue traveling, and thus blocked from meeting with officials or staging demonstrations.
In another incident, human rights lawyer Xie Yang booked a flight to Shanghai for Nov. 6, 2021, to visit the mother of Zhang Zhan, a citizen journalist who is currently in jail for reporting true incidents from Wuhan during the city-wide lockdown in early 2020.
Local police tried to intercept him, but he somehow managed to get to the airport. However, while waiting to board the plane, his health code suddenly turned red and he was intercepted by the epidemic prevention officers.
At the time, there were no confirmed cases in his home city of Changsha, so there was no justifiable reason for his health code to be red.
“I reiterate that I have never left Changsha during this period of time! All this is persecution,” Xie wrote when disclosing what happened to him on Twitter.
Beijing’s Big Data Ambitions
Chinese state media have unabashedly admitted that behind the health code app is China’s big data strategy.
“The rapid launch of the health code system should be attributed to the big data strategy … Big data development has already become a national strategy,” China News Weekly reported in January this year.
The article revealed that on Dec. 29, 2021, China’s National Development and Reform Commission and other departments issued a notice to start the deployment of big data center national hub nodes in eight key areas, such as, Beijing-Tianjin-Hebei, Yangtze River Delta, Guangdong-Hong Kong, Chengdu-Chongqing, Guizhou, Gansu, Inner Mongolia, and Ningxia.
“Our strategic competitors [the Chinese Communist Part]) see big data as a strategic asset,” said U.S. National Security Advisor Jack Sullivan last summer. Former U.S. Deputy National Security Advisor Matt Pottinger also wrote that big data is at the heart of the Chinese Communist Party’s ambitions.
Li Keshun, deputy director of East China Jiangsu Big Data Trading Center, told China News Weekly that health codes actually have four layers of personal data. The first is household registration information from the public security department; the second is health data reported by individuals, such as body temperature and current symptoms; the third is personal travel data, including location provided by the cell phone service carriers, as well as rail and air traffic travel data; and the fourth is medical history information provided by the health and disease control department.
Former Trump administration officials Matt Pottinger and David Feith warned that Beijing is already winning the big data war.
In a NY Times Opinion piece, Pottinger and Feith said that: “For upward of a generation, Beijing has been coldly effective in designing a strategy of global data mercantilism: data hoarding for me, data relinquishing for thee. If Washington and its allies don’t organize a strong response, Mr. Xi will succeed in commanding the heights of future global power.”