South Korea's self-isolation app had a serious security flaw

The encryption key was written inside the app's code.

Sponsored Links

SEOUL, SOUTH KOREA - 2020/04/30: People at Gimpo International Airport during the Coronavirus (COVID-19) crisis.
Local infections in South Korea fall to zero for first time since its coronavirus outbreak worsened in February. (Photo by Simon Shin/SOPA Images/LightRocket via Getty Images)
SOPA Images via Getty Images

South Korea is one of several countries that used a comprehensive test, trace and isolate plan to dramatically reduce instances of COVID-19. Unfortunately, a New York Times report claims that one of the key pillars of its strategy, a mobile app designed to monitor at-home quarantines for people arriving in the country, was seriously insecure. A security researcher found a flaw in the app that would have allowed hackers to access private information. In addition, hackers would have been able to rig the app to make someone look like they were making unauthorized trips outside their home.

Security researcher Frédéric Rechtenstein, who lives in Seoul, was using the app to monitor his own 14-day isolation period after traveling. Out of curiosity, he began investigating the app, finding that the user IDs were not randomly generated and therefore guessable, enabling him to access this private information. In addition, the app’s code stored the encryption key (which was “1234567890123456” within its code, making it even easier for a motivated hacker to decrypt any data they wished to access.

The Times says that Korean officials have apologized for the breach, with Jung Chan-hyun saying that the issue was down to the speed of the app’s implementation. The app’s developers, Winitech, said that staffers lacked proper security training to make the app as secure as necessary. Winitech MD Hong Seong-bok added that the government’s onerous feature requests, like adding more surveillance features, slowed down the team’s work on finding bugs and fixing them. 

It’s believed that the holes in the app, were fixed in an update to both Android and iOS version last week. Officials added that there had been no claim, or evidence, that anyone had actually breached the system before the developers were alerted. 

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget