Litcius/Paper detail

Mind the GAP: Security & Privacy Risks of Contact Tracing Apps

Lars Baumgärtner, Alexandra Dmitrienko, Bernd Freisleben, Alexander Gruler, Jonas Höchst, Joshua Kühlberg, Mira Mezini, Richard Mitev, Markus Miettinen, Anel Muhamedagic, Thien Duc Nguyen, Alvar Penning, Dermot Frederik Pustelnik, Filipp Roos, Ahmad‐Reza Sadeghi, Michael Schwarz, Christian Uhl

202048 citationsDOI

Abstract

Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy, the so-called “Google/Apple Proposal”, which we abbreviate by “GAP”. We demonstrate that in real-world scenarios the current GAP design is vulnerable to (i) profiling and possibly de-anonymizing infected persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts with the potential of affecting the accuracy of an app-based contact tracing system. For both types of attack, we have built tools that can easily be used on mobile phones or Raspberry Pis (e.g., Bluetooth sniffers). The goal of our work is to perform a reality check towards possibly providing empirical real-world evidence for these two privacy and security risks. We hope that our findings provide valuable input for developing secure and privacy-preserving digital contact tracing systems.

Topics & Concepts

BluetoothContact tracingComputer scienceComputer securityTracingMobile deviceRelayProfiling (computer programming)ZombieInternet privacyWorld Wide WebTelecommunicationsCoronavirus disease 2019 (COVID-19)WirelessDiseaseInfectious disease (medical specialty)MedicineQuantum mechanicsPathologyPhysicsOperating systemPower (physics)COVID-19 Digital Contact TracingPrivacy, Security, and Data ProtectionPrivacy-Preserving Technologies in Data