Data Capture/Auto ID

Data Capture, Bar Code Decoders, Scanners and Automatic Identification.

Tech boss warns UK Government of contact tracing App security flaws using QR codes

The CEO of a British Tech company has warned the Government of potential serious flaws in the security of personal information and data used in the new contact tracing app technology that was announced by Matt Hancock.

Manchester Tech inventor and innovator Louis-James Davis stated that the use of QR code scanning technology – which underpins the Government contact tracing app – is flawed because its reliance and use of QR codes means it can be subject to a process called “Attagging” or cloning.

“Attagging” is where a ‘genuine QR code’ is replaced by a ‘cloned QR code’ which then redirects the person scanning that code to a similar website where personal data can be intercepted and breached. The problem is that serious that in India alone there are over 1 BILLION fraudulent financial transactions each day using QR codes. As the scanning user journey is the same, it is only tech savvy individuals that may notice the domain name has changed.

The CEO of Manchester based VST Enterprises Ltd (VSTE) and a consortium of other British companies; Latus Health, Redstrike and Halo Solutions, last week submitted a ‘360 End To End Solution Plan’ called  ‘FANS ARE BACK to the Prime Minister, the Cabinet Office and the Chair of the DCMS Select Committee following his daily press briefing and announcement of ‘Operation Moonshot.’  In this proposal it also highlighted the serious security issues and concerns over QR code technology whilst also providing details of its own end to end secure solution to the UK Government using British technology.

The tech boss revealed that VSTE has developed an ultra secure digital health passport and contact tracing app technology that does not use QR codes but instead uses a closed loop, ultra secure code called VCode® which it has invented and which is currently being used by the United Nations SDG Projects. The system uses closed loop technology with end to end encryption and contains over 2.2 Quintillion variations of code – thats nearly 300 million code variations per person on the planet – meaning it is impossible to hack or impersonate from the front end.  The secure digital health passport which is called V-Health Passport™ is used to authenticate a persons identity using their existing Government ID and is then used to record their Covid-19 test status. Uniquely it can be scanned outside of the 2 metre social distancing capability and over 100m away with a specialist device. It can also be scanned in a 170 degree arc whilst a person is moving thus preventing bottlenecks and choke points in fans queuing to get into a venue. VHealth Passport™ can also be used to record vaccinations as well and other vital medical information.

VST Enterprises CEO Louis James Davis said;

“We have highlighted the serious security flaws of using QR codes in healthcare and ID technology in our proposal and plan submitted to the Government. When you are dealing with the public’s personal information and private data, security is of paramount importance and crucial to public confidence.

When the Government first launched the NHS contact tracing app there were many concerns raised about privacy, protection of data, tracking of location data and the security flaws of using bluetooth proximity technology. The use of QR code technology in a Government contact tracing app where the public are being asked to scan a QR code before going into a sports stadium, bar or venue leaves their data and personal information at serious risk of cloning and ‘Attagging’.

There are over 1 BILLION fraudulent financial transactions  each day in India alone and that should be a serious wake up call to any Government or major organisation about the wider use of QR code technology to the public in a contact tracing app or digital healthcare passport for that matter.

Because QR code readers and encoders are open source technology – free to use and manipulate – there are literally 1000’s of readers and encoders in the app stores. They don’t work on a closed loop security system which means the QR code design might not be unique and scanning and decoding can be exploited and/or manipulated.   QR codes also have to be scanned close up within inches thus meaning that the scanning of a QR code for contact tracing already breaches a safe 2 metre social distancing protocol.”

In understanding how the QR codes are vulnerable to cloning Louis-James explained;

“Essentially QR codes can be cloned and redirected to other information points or websites. Often criminals and hackers will exploit this by putting a fake QR code over a genuine QR code. So a QR code for example on scanning would link to the genuine website but a fake QR code can be made up printed off and placed over the genuine code to redirect to at this point the member of the public is tricked into entering their personal information, private data and financial information. The rogue website looks and feels exactly like the genuine one and is made to mirror it precisely.”

VCode® which is the digital bar code of choice in our contact tracing app and V-Health Passport™ for example cannot be cloned, so even if it was printed off, or a photograph taken and placed over a venue VCode® or V-Health Passport™ it simply wont scan as it works on a call and response system of information between the code and web platform to verify location of the code, user ID and time and date and much more.”

The consortium presented its plan for a 360 degree ‘end to end’ solution using a 10 minute rapid Covid testing kit, VHealth Passport™ and contact tracing app solution that uses anonymised data to detect ‘positive’ infection contacts within venues, stadiums and theatres also forms part of the groundbreaking technology offering. The consortium believes that this will allow for the safe return of fans to sports stadiums, music venues and theatres to FULL CAPACITY without the need for social distancing.

The FANS ARE BACK plan has also received the backing and support of former Sports Minister Richard Caborn, former England Rugby captain Mike Tindall MBE and his wife the Equestrian World Champion and 2012 Silver Medalist Zara Tindall MBE.  The plan will also help alleviate the much anticipated pressure to the NHS from its current and predicted testing capabilities, which have already been identified as being ‘at capacity.’ The health passport which is test agnostic – allows it to work with all rapid tests and PCR based lab testing. It also uses the most secure and advanced cyber technology coding VCode® which means that all personal information and data is ultra secure and cannot be hacked. Most importantly the contact tracing app does not divulge a persons identity or information and uses anonymised data.

The contact tracing element to the V-Health Passport™ allows all music venues, concert arenas, sports stadiums and theatres to display a unique ‘geo, date and time fenced’ VCode® which is locked to that venue and must be scanned as fans ‘check in’.  Fans will only be allowed to physically ‘check into’ the venue if they have downloaded the V-Health Passport™ and taken a Covid-19 test prior to entry with a negative test result.

When the person enters the venue they will be scanned for their test status as Green for negative, Red for positive and Amber for indicating the countdown to another test date. All interactions with V-Health Passport™ or venue codes are stored anonymously thus allowing the person/s to remain completely anonymous, thus not infringing their personal privacy. Any positive test result will notify any and all confirmed contacts automatically that attended that venue and that were scanned into that venue VCode® on the day. The system can also notify contacts either side of the scanned date of entry up to 1 week prior and 1 week post attendance.

Also as the contact part of the ‘track and trace’ is completely anonymised this means a persons privacy and personal information is not shared and their location is not tracked in real time, other than their ‘check in’ to a sports stadium, music venue or theatre.  This is no different from a music fan using Facebook to ‘check into’ a pop concert with his or her friends and tagging them. V-Health Passport™ is also GDPR and HIPPA compliant. The rapid test and V-Health Passport™ is priced at £15. The VHealth Passport™ currently has 200 testing centres within its app which is expected to rise to over 1000 testing centres in the next two weeks with the addition of a major high street pharmacy chain coming onboard.