Date Monday, August 3, 2020 1:11 PM
From Bob Loblaw
To Hanno Labuschagne
Hello Hanno
Good work on the followup with FNB and the publication of your article. To date I still haven't received a reply from FNB, surprisingly not even a simple auto reply from a ticketing system.
Following your article in which you explained that this functionality is limited to FNB staff only, over the weekend to satisfy my own interest I managed to get a screenshot of an FNB staff member's mobile phone showing the "Contact Tracking" screen. See attachment.
For the record: I'm not an employee of FNB and I didn't modify their app apk. I'm running the standard FNB app downloaded from Google Playstore and installed on a normal locally available android phone. The "Enable Tracing" notification seen in the screenshot sent earlier appears every time I restart my phone. It's this consistent behaviour that caused me to look into the apk source code. Since I'm not a low-level android developer, I'm afraid I can't investigate much further, but I assume that this behaviour is triggered as part of the FNB app "phone home" procedures that registers the phone's unique identifier with their back-end system.
Even though FNB stated that this feature is not activated on mobile phones of non-employees, I find it rather alarming that this message continues to be sent on my mobile phone given I am not an FNB employee.
Additionally even though FNB claims that this solution fully respects privacy, the fact that this tracing protocol (BlueTrace) requires a centralized server to store and process user tokens (and optionally user contact lists) makes it a legitimate privacy concern, privacy experts have even publicly declared this:
"However, PEPP-PT and BlueTrace rely on a centralized server to generate the temporary ID codes, which an analysis from the DP-3T developers claims could let the server identify the individual behind any temporary code and trace their movement." -
https://protonmail.com/blog/privacy-contact-tracing-apps/
Finally, security researchers have recently identified a major bug in the OpenTrace protocol (the open source version of BlueTrace), which has been assigned an official CVE code + severity level of "9.8 CRITICAL" by NIST. -
https://nvd.nist.gov/vuln/detail/CVE-2020-12856
In summary, it can therefore be concluded that, despite FNB's assertions to the contrary, the embedding of this BlueTrace code in the app FNB's customers are installing on their personal phones definitely represents a non-zero risk. I cannot speak on behalf of others, but personally I would definitely feel more comfortable if this functionality were removed and FNB publicly confirmed this.
Bob