StopCoviD: The application put to the test of hackers

If legally and institutionally the Mobile Tracing application of the French government has been validated, the question of computer security remains.

In this context, it has been tested by several hackers and coders, with the aim of discovering security vulnerabilities if possible.

This article will also interest you: StopCoviD: The first publication of the source code of the tracing application would be empty and uninteresting

Recently, hackers hired by the French state are scrambling to uncover flaws from the tracking application. Putting everyone waiting for the results of this famous Bug Bounty. The starting point of this work is quite convincing: "The same MongoDB database is used for all customers! ».

It should be added that all coders or specialists who would be interested in this program can participate via the source code of the application that has been put online (largely it must be specified) such as the ad and INRIA, the Public Institute for Computer Research that is the origin of the tracking application.

The apparent objective of this programme is to prove that the application will not be used for purposes other than stated by the French government, no abuse will be carried out with the data that can be collected.

But in practical ways, some thirty security specialists, in the category of bounty hunters, have been hired by the Institute for Computer Research, under the leadership of the company "Yes We Hack", as part of an intensive Bounty bug campaign. The National Agency for Security of Information Systems, the French police for network security, oversees this activity in collaboration with INRIA. The discovery of vulnerabilities in this companion can be rewarded up to 2000 euros.

For Yes We Hack boss Guillaume Vassault-Houlière, the task is proving difficult for them. For it is on a "pretty mature platform that has already benefited from the recommendations of Anssi" that they will be directed. However it does not fail to add specialized hackers "always manage to find stuff, which can be benign as they can be very big. ». He added: "And yet we have all kinds of structures among our clients, including companies that spend millions of euros or dollars on defence. ».

In addition, no one has managed so far to crack the application, as Stéphane Richard, the head of Orange, pointed out last Thursday a few hours after the start of the Bounty bug program. But to quell his joy, Baptiste Robert, an ethical hacker, work on behalf of the company Yes We Hack, otherwise recognized under the pseudonym Elliot Alderson, countered on Twitter by announcing that he had "opened 10 tickets last night to the bug bounty #StopCovid for 10 problems – or – serious (…) One of the worries, one of the stupidest, is the direct fault of the developers of Orange. ». Apparently, the orange boss had spoken a little too soon.

Very clearly, it must be admitted that it is almost impossible to guarantee that the application has been developed without any flaws or potential bugs. And computer scientists think that unanimously. And this is common for all computer programs. "An application is developed by humans" therefore, "there are inevitably errors," says F5 Networks technical director Arnaud Lemaire, who is himself a specialist in network and application security. In fact, developers themselves tend to use "ready-made tools, ready-made bits of code that are accessible in bookstores that also have potential flaws and problems." Not to mention the fact that the goal of the programmers at the base is to operate a tool within a set time frame, which puts the security issue on the back burner. What Arnaud Lemaire confirmed when he said: "Today what developers are asked to do is to meet a specification and meet a deadline."

As part of the StopCoviD campaign, Guillaume Vassault-Houlière meant that the most important thing is not just to detect security vulnerabilities. But let the experts be able to identify the degree of dangerousness of the latter and the potential consequences on the operation of the tracking software: "Everything must qualify according to the business of the application. He notes. Just to keep out coders and hackers who are not up to the task from the start. "There are a lot of people who think they're hackers, who do security like when I was 15… and I'm 37 today."

Now access an unlimited number of passwords: