The CEO of a British Tech company has warned the Government of potential serious flaws in the security of personal information and data used in the new contact tracing app technology that was announced by Matt Hancock.

Manchester Tech inventor and innovator Louis-James Davis stated that the use of QR code scanning technology – which underpins the Government contact tracing app – is flawed because its reliance and use of QR codes means it can be subject to a process called “Attagging” or cloning. 

“Attagging” is where a ‘genuine QR code’ is replaced by a ‘cloned QR code’ which then redirects the person scanning that code to a similar website where personal data can be intercepted and breached. The problem is that serious that in India alone there are over 1 BILLION fraudulent financial transactions each day using QR codes. As the scanning user journey is the same, it is only tech savvy individuals that may notice the domain name has changed.

The CEO of Manchester based VST Enterprises Ltd (VSTE) and a consortium of other British companies; Latus Health, Redstrike and Halo Solutions, last week submitted a ‘360 End To End Solution Plan’ called  ‘FANS ARE BACK’ to the Prime Minister, the Cabinet Office and the Chair of the DCMS Select Committee following his daily press briefing and announcement of ‘Operation Moonshot.’  In this proposal it also highlighted the serious security issues and concerns over QR code technology whilst also providing details of its own end to end secure solution to the UK Government using British technology.

The tech boss revealed that VSTE has developed an ultra secure digital health passport and contact tracing app technology that does not use QR codes but instead uses a closed loop, ultra secure code called VCode® which it has invented and which is currently being used by the United Nations SDG Projects. The system uses closed loop technology with end to end encryption and contains over 2.2 Quintillion variations of code – thats nearly 300 million code variations per person on the planet – meaning it is impossible to hack or impersonate from the front end.  The secure digital health passport which is called V-Health Passport™ is used to authenticate a persons identity using their existing Government ID and is then used to record their Covid-19 test status. Uniquely it can be scanned outside of the 2 metre social distancing capability and over 100m away with a specialist device. It can also be scanned in a 170 degree arc whilst a person is moving thus preventing bottlenecks and choke points in fans queuing to get into a venue. VHealth Passport™ can also be used to record vaccinations as well and other vital medical information.

VST Enterprises CEO Louis James Davis said;

“We have highlighted the serious security flaws of using QR codes in healthcare and ID technology in our proposal and plan submitted to the Government. When you are dealing with the public’s personal information and private data, security is of paramount importance and crucial to public confidence.

When the Government first launched the NHS contact tracing app there were many concerns raised about privacy, protection of data, tracking of location data and the security flaws of using bluetooth proximity technology. The use of QR code technology in a Government contact tracing app where the public are being asked to scan a QR code before going into a sports stadium, bar or venue leaves their data and personal information at serious risk of cloning and ‘Attagging’. 

There are over 1 Billion fraudulent financial transactions each day in India alone and that should be a serious wake up call to any Government or major organisation about the wider use of QR code technology to the public in a contact tracing app or digital healthcare passport for that matter.

Because QR code readers and encoders are open source technology – free to use and manipulate – there are literally 1000’s of readers and encoders in the app stores. They don’t work on a closed loop security system which means the QR code design might not be unique and scanning and decoding can be exploited and/or manipulated.   QR codes also have to be scanned close up within inches thus meaning that the scanning of a QR code for contact tracing already breaches a safe 2 metre social distancing protocol.”

In understanding how the QR codes are vulnerable to cloning Louis-James explained;

“Essentially QR codes can be cloned and redirected to other information points or websites. Often criminals and hackers will exploit this by putting a fake QR code over a genuine QR code. So a QR code for example on scanning would link to the genuine website www.similardomain.com but a fake QR code can be made up printed off and placed over the genuine code to redirect to www.similar-domain.com at this point the member of the public is tricked into entering their personal information, private data and financial information. The rogue website looks and feels exactly like the genuine one and is made to mirror it precisely.”

VCode® which is the digital bar code of choice in our contact tracing app and V-Health Passport™ for example cannot be cloned, so even if it was printed off, or a photograph taken and placed over a venue VCode® or V-Health Passport™ it simply wont scan as it works on a call and response system of information between the code and web platform to verify location of the code, user ID and time and date and much more.”