Vietnamese contact tracing app broadcasts fixed ID


A reverse-engineering analysis of Vietnam's official Bluetooth-based contact tracing app, Bluezone, which was developed by a coalition of local technology companies and the Ministry of Information and Communications, shows that the app is broadcasting a fixed six-character ID the app assigned to each installation. The app, which is intended to alert people who may have come into contact with the virus while preserving their anonymity, comes in both iOS and Android versions, and quickly attracted 150,000 users. Both broadcast the ID number, putting users at risk of disclosing their location, movement, and social graph to any watcher. The IDs are also predictably generated, so can be spoofed or registered en masse as a denial-of-service attack.


Writer: Tù Nhân Lương Tháng
Publication: VNHacker

Related learning resources