Incident Details

Incident: Security Flaws in South Korean Quarantine App Lead to Data Vulnerability

Published Date: 2020-07-28

Postmortem Analysis
Timeline	1. The software failure incident with the mobile app in South Korea happened in May 2020 as per the article [102676].
System	1. Security features of the mobile app to enforce quarantines in South Korea failed, leading to serious security flaws [102676].
Responsible Organization	1. The Ministry of the Interior and Safety's disaster response division in South Korea was responsible for causing the software failure incident by deploying an app with serious security flaws due to the rush to slow down the spread of the virus [102676].
Impacted Organization	1. Users in quarantine in South Korea were impacted by the software failure incident [102676].
Software Causes	1. The mobile app had serious security flaws that made private information vulnerable to hackers, including easily guessable user ID numbers and weak encryption key written directly into the code [102676].
Non-software Causes	1. Time pressure to deploy the app quickly to help slow down the spread of the virus, leading to a lack of thorough security checks [102676]. 2. Lack of expertise in making the software secure, as the team lacked the necessary skills to ensure the app's security [102676]. 3. Overwhelming workload on the development team, which prevented them from focusing on hunting for security flaws [102676]. 4. Addition of surveillance functions to the app, such as emitting noise or vibrating when the phone was not moved for more than two hours, and connecting tracking wristbands, which increased the complexity of the app and the workload on the team [102676].
Impacts	1. Personal information of individuals in quarantine was vulnerable to hackers, including names, real-time locations, and other details [102676]. 2. Hackers could tamper with data to make it look as if users were violating quarantine orders or still in quarantine despite being elsewhere [102676]. 3. The software failure incident raised concerns about poor security practices in government-deployed virus-tracing apps globally [102676]. 4. The incident highlighted the rush to deploy software without adequate security features, leading to vulnerabilities in tracking apps [102676]. 5. The incident could affect perceptions of South Korea's handling of the pandemic and its ability to protect personal data [102676].
Preventions	1. Conducting a thorough security check on the app before deployment, even if it might delay the release [102676]. 2. Implementing strong encryption methods, such as HTTPS, for securing communications between the app and the server [102676]. 3. Using complex and random encryption keys to prevent easy decoding of data by hackers [102676]. 4. Ensuring that software developers have the necessary expertise to build secure applications [102676]. 5. Prioritizing security alongside functionality and speed in the development process of the app [102676].
Fixes	1. Conducting a thorough security check on the app before deployment to identify and address any vulnerabilities [102676]. 2. Implementing strong encryption methods, such as using HTTPS for secure communication between the app and the server [102676]. 3. Regularly updating and patching the software to address any newly discovered security flaws [102676]. 4. Ensuring that software developers have the necessary expertise to prioritize security in the development process [102676]. 5. Allocating sufficient resources and time for security measures, even in situations where there is pressure to deploy the software quickly [102676].
References	1. Frédéric Rechtenstein, a software engineer who discovered the security flaws in the mobile app [102676] 2. South Korean officials, including Jung Chan-hyun from the Ministry of the Interior and Safety’s disaster response division [102676] 3. Winitech, a software maintenance and repair company in Daegu that developed the app in collaboration with the government [102676]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident of security flaws in a mobile app used for enforcing quarantines in South Korea is a case where a similar incident happened within the same organization. The app developed by the South Korean government had serious security flaws that made private information vulnerable to hackers [102676]. The rush to deploy the app quickly for pandemic response led to inadequate security features being present in the software. (b) The incident in South Korea is not an isolated case. Governments worldwide have faced complaints about poor security practices in virus-tracing apps. For example, a virus-tracing app in India was found to leak users' precise locations, prompting the Indian government to fix the problem. Flaws were also discovered in an exposure-alert app in Qatar by Amnesty International, leading to quick updates by the authorities there. Other nations like Norway and Britain have had to change course on their virus apps after public outcry about privacy concerns [102676]. This indicates a broader trend of security issues in software used for pandemic response across different countries.
Phase (Design/Operation)	design, operation	(a) The software failure incident in South Korea's mobile app for enforcing quarantines was primarily due to design flaws introduced during the development phase. The app had serious security flaws that made private information vulnerable to hackers, such as easily guessable user ID numbers and weak encryption methods [102676]. (b) Additionally, the operation of the app also played a role in the failure. The app had features added over time, like emitting a noise if the phone was not moved for more than two hours and connecting tracking wristbands, to monitor quarantine compliance. These operational features increased the workload on the developers, preventing them from focusing on security aspects [102676].
Boundary (Internal/External)	within_system	(a) within_system: The software failure incident in South Korea's mobile app for enforcing quarantines was primarily due to security flaws that originated from within the system itself. The defects in the app, such as easily guessable user ID numbers and weak encryption methods, were discovered by a software engineer who examined the app's code [102676]. The flaws allowed potential attackers to access private information of individuals in quarantine and manipulate data within the app. The rush to deploy the app quickly for pandemic response led to inadequate security checks and practices within the development process, highlighting internal system vulnerabilities that were exploited by the engineer to identify the failures.
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in South Korea's mobile app for enforcing quarantines was primarily due to non-human actions, specifically serious security flaws in the app that made private information vulnerable to hackers. The defects in the app allowed attackers to retrieve personal details of individuals in quarantine and tamper with data, posing significant risks to user privacy and security [102676]. (b) However, human actions also played a role in the failure as South Korean officials acknowledged that they were in a hurry to deploy the app quickly to help slow down the spread of the virus, which led to inadequate security checks on the app before its release. Additionally, the developers of the app used easily guessable ID numbers and weak encryption methods, indicating human errors in the software development process [102676].
Dimension (Hardware/Software)	software	(a) The software failure incident reported in the articles was primarily due to contributing factors that originated in software. The incident involved serious security flaws in a mobile app used to enforce quarantines in South Korea. These flaws made private information vulnerable to hackers, allowing them to retrieve personal details of individuals in quarantine and tamper with data to manipulate quarantine status [102676]. (b) The software failure incident was not attributed to hardware issues but rather to software vulnerabilities that were exploited by hackers. The flaws in the app's security, such as easily guessable user ID numbers and weak encryption methods, were the root causes of the incident [102676].
Objective (Malicious/Non-malicious)	non-malicious	(a) The software failure incident in South Korea involving the mobile app used to enforce quarantines had serious security flaws that made private information vulnerable to hackers. The defects in the app could have allowed attackers to retrieve personal information such as names, real-time locations, and other details of people in quarantine. Additionally, hackers could have tampered with data to make it appear as if users were violating quarantine orders or still in quarantine despite being elsewhere. These security vulnerabilities were identified by a software engineer, Frédéric Rechtenstein, who found that the app's developers had implemented weak security measures, such as easily guessable user ID numbers and insecure encryption methods [102676]. (b) The software failure incident in South Korea was primarily non-malicious in nature. The flaws in the app's security were not introduced with the intent to harm the system but rather due to the pressure to deploy the app quickly to help slow down the spread of the virus. South Korean officials acknowledged that they were in a hurry to release the app and could not afford a time-consuming security check that would delay its deployment. The lack of expertise in making the software secure, combined with the increasing workload on the development team, contributed to the security flaws in the app. The episode highlighted how the rush to deploy software solutions in response to the pandemic led to inadequate security practices [102676].
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	(a) The intent of the software failure incident was due to poor decisions made by the South Korean officials and developers. They acknowledged that they were in a hurry to deploy the app quickly to help slow down the spread of the virus, which led to inadequate security checks on the app [102676]. The software developers assigned easily guessable ID numbers to users, used weak encryption methods, and did not prioritize security measures during the app development process. Additionally, the developers did not anticipate the widespread use of the app, leading to vulnerabilities being exposed when the app became widely adopted [102676]. (b) The software failure incident was also influenced by accidental decisions or unintended consequences. The rush to deploy the app quickly to save lives and the lack of expertise in ensuring software security contributed to the accidental introduction of security flaws in the app [102676]. The developers' focus on adding surveillance functions to the app and the increasing workload on the team prevented them from adequately addressing security concerns, leading to unintended consequences in terms of data vulnerability and privacy risks.
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident in South Korea's mobile app for enforcing quarantines was primarily due to development incompetence. The app had serious security flaws that made private information vulnerable to hackers, such as easily guessable user ID numbers, insecure encryption methods, and a lack of proper security checks before deployment [102676]. The rush to deploy the app quickly to combat the spread of the virus led to inadequate security features being implemented, showcasing a lack of professional competence in ensuring the app's security. (b) Additionally, the rush to deploy the app quickly without thorough security checks can also be considered an accidental factor contributing to the software failure incident. The officials acknowledged that they were in a hurry to deploy the app as quickly as possible to help slow down the spread of the virus, which led to overlooking critical security flaws that made the app vulnerable to attacks [102676]. This accidental oversight in prioritizing speed over security played a significant role in the failure of the software.
Duration	temporary	The software failure incident discussed in the article was temporary. The security flaws in the mobile app used to enforce quarantines in South Korea were identified by a software engineer, Frédéric Rechtenstein, and reported to the authorities. The flaws were acknowledged by South Korean officials, and they took action to fix the vulnerabilities in the latest version of the app released in Google and Apple stores [102676].
Behaviour	crash, omission, value, other	(a) crash: The software failure incident in South Korea related to the mobile app used to enforce quarantines had serious security flaws that could have allowed attackers to retrieve private information of individuals in quarantine. The defects in the app could have led to a crash scenario where the system loses state and does not perform its intended functions, potentially compromising the security and privacy of users [102676]. (b) omission: The security flaws in the app could have also resulted in an omission scenario where the system omits to perform its intended functions. For example, hackers could have tampered with data to make it look as if users of the app were either violating quarantine orders or still in quarantine despite being somewhere else, indicating a failure to accurately enforce quarantine regulations [102676]. (c) timing: While the primary issue with the software failure incident was related to security flaws and potential privacy breaches, there is no specific mention of timing failures where the system performs its intended functions but either too late or too early in the articles provided. (d) value: The security flaws in the app, such as easily guessable ID numbers and weak encryption methods, could lead to a value failure scenario where the system performs its intended functions incorrectly. For instance, if a hacker could retrieve personal information or manipulate data, the system would be providing incorrect information or violating user privacy [102676]. (e) byzantine: The software failure incident in South Korea did not exhibit characteristics of a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. The primary focus was on security vulnerabilities and potential data breaches rather than erratic or inconsistent behavior. (f) other: The other behavior exhibited by the software failure incident in South Korea was the rush to deploy the app quickly without conducting thorough security checks. The pressure to act swiftly to combat the spread of the virus led to the omission of a comprehensive security assessment, highlighting a failure in the decision-making process and prioritization of security measures [102676].

IoT System Layer

Layer	Option	Rationale
Perception	processing_unit, network_communication, embedded_software	(a) sensor: The software failure incident in South Korea related to the mobile app used to enforce quarantines did not specifically mention any sensor-related errors or failures [102676]. (b) actuator: The incident did not involve any actuator-related errors or failures [102676]. (c) processing_unit: The failure in the South Korean mobile app was primarily due to security flaws in the processing unit, such as easily guessable user ID numbers and weak encryption methods used for communication with the server [102676]. (d) network_communication: The software failure incident in South Korea was also related to network communication errors, as the app used an insecure method to encrypt communications with the server, making it vulnerable to hacking [102676]. (e) embedded_software: The incident involved issues with the embedded software of the app, such as the encryption key being written directly into the code and being easily guessable, leading to security vulnerabilities [102676].
Communication	connectivity_level	The software failure incident described in the article [102676] was related to the communication layer of the cyber physical system. Specifically, the failure was related to the communication encryption used in the app. The software developers used an insecure method to scramble or encrypt the app's communications with the server where data was stored. Instead of using the standard HTTPS encryption, the app used an encryption key that was written directly into its code, which was "1234567890123456." This weak encryption method allowed hackers to easily find the key and decode the data if they tried, making monitoring all of the app's communications with the server possible, especially on the same unprotected Wi-Fi network as someone else using the app. This indicates a failure at the communication layer of the cyber physical system [102676].
Application	TRUE	The software failure incident described in the article [102676] was indeed related to the application layer of the cyber physical system. The failure was due to serious security flaws in a mobile app used to enforce quarantines in South Korea. These flaws allowed hackers to retrieve private information of individuals in quarantine, tamper with data, and potentially violate privacy and security. The flaws included easily guessable user ID numbers, insecure encryption methods, and inadequate security features that made personal data vulnerable to exploitation [102676].

Other Details

Category	Option	Rationale
Consequence	property, theoretical_consequence	(d) property: People's material goods, money, or data was impacted due to the software failure. The software failure incident in South Korea involving the mobile app used to enforce quarantines had serious security flaws that made private information vulnerable to hackers. The defects in the app could have allowed attackers to retrieve personal information such as names, real-time locations, and other details of people in quarantine. Additionally, hackers could have tampered with data to make it appear as if users were violating quarantine orders or still in quarantine despite being elsewhere. The security flaws in the app exposed users' sensitive information, including name, date of birth, sex, nationality, address, phone number, real-time location, and medical symptoms [102676].
Domain	health, government	(a) The failed system was related to the health industry as it involved a mobile app used to enforce quarantines during the coronavirus pandemic in South Korea [102676]. The app tracked users' locations to ensure they remained in quarantine areas and could trigger alerts if users violated quarantine orders [102676]. (l) The government sector was also involved as the app was developed in collaboration with the South Korean Ministry of the Interior and Safety's disaster response division [102676]. The government mandated the use of the app for all visitors and residents arriving from abroad to monitor compliance with quarantine measures [102676]. (m) The software failure incident was not directly related to any other industry mentioned in the options provided.

Sources

Major Security Flaws Found in South Korea Quarantine App (Published 2020) - The New York Times - Published on: 2020-07-28
Article ID: 102676

Back to List