Google/Apple’s Contact Tracing Apps Susceptible to Digital Attacks

Since the start of the COVID-19 pandemic, scientists and health authorities have relied on contact tracing technologies to help manage the spread of the virus. Yet there is a major flaw in a framework that many of these mobile apps use – one that attackers could exploit to speed up false positive notifications.

Apps powered by the Google/Apple Exposure Notification Framework (GAEN) are widely available in many countries and run most efficiently in the background of your phone. But researchers at Ohio State University said they found these apps were susceptible to geo-replay attacks, which is when a third party captures contact tracing phone data broadcast by a user in an area and exploits them by repeatedly transmitting them to another area. remote location.

Replay attacks can be used to exploit electronic weaknesses to gain access to digital networks, cause adverse effects on mobile devices, or poison data sets with false information. Considering how much society relies on honest health data, misinformation can be particularly harmful in terms of tracking COVID-19, said study co-author Anish Arora, professor and chair of computer science and engineering at Ohio State.

“Hackers or nation-state actors could potentially take advantage of an honest user and replay their contact tracing data anywhere in the world,” Arora said.

For example, if someone in Columbus with COVID-19 were to have their contact tracing beacon data captured by a third party, their information could be transmitted to one or more other cities thousands of miles away and rebroadcast to others. near. If that person were to test positive for COVID-19, a person who actually had no contact with an infected person could be alerted.

This means attackers could essentially create digital superspreaders, launching a process that shares clusters of fake exposure beacons in different areas, Arora said.

“Because the framework works like a wireless protocol, anyone can inject some sort of false exposure, and those false encounters could disrupt public trust in the system,” he said.

Although an increase in false positive notifications would undermine the public good behind contact tracing apps, the co-author Zhiqiang LinProfessor of computer science and engineering at Ohio State, said it could also have cascading economic and social consequences, such as forcing people to miss work or cancel daily personal activities and long-planned vacations. That potential increases when testing is scarce or in economically disadvantaged countries that don’t have access to vaccines, added Lin, who has studied cybersecurity vulnerabilities in digital software for more than a decade.

Still, researchers were able to find a fix for this fatal flaw. “The hardest part was finding a workable solution that wouldn’t stop users from using the app,” Lin said.

The team came up with a prototype based on Google and Apple’s original framework, which they called GAEN+, pronounced “Gain Plus”. After implementing it on an Android device (the prototype is also easily portable to Apple devices), they ran the prototype through a series of experiments to test its defenses against malicious replay attacks. They concluded that compared to Google and Apple’s framework, GAEN+ was able to effectively prevent false positives while maintaining user privacy.

The team presented their solution July 12 at the annual meeting of Privacy Technologies Symposium (PETS) held this year in Sydney, Australia. Zhiqiang Lin

Lin said that while the team may not be the first to find the flaw in Google and Apple, they are currently the first team to prove to the wider digital community how it could be exploited. low-cost, distributed way. “Maybe they just thought it couldn’t have serious consequences,” he said. But overall, Lin describes their change to contact tracing protocol as “very minimal” for such a solid defense against potential attacks.

“Our enhancement preserves privacy,” Arora said. Instead of relying on precise GPS data like other proposed fixes, GAEN+ uses coarse location data from Wi-Fi hotspots and cell towers in a smart way that preserves the anonymity, he said.

The team received acknowledgments from Google for finding and fixing the weakness. To ensure that GAEN+ is publicly available, the team has put the patch source code on GitHub, a platform that hosts the code online.

“When future developers design similar protocols, we make sure they have the opportunity to consider our recommendations,” Arora said. “Both companies have produced a product that can do a lot of good in the world. We just want to make GAEN much harder to mine.

Other co-authors were Christopher Ellis and Haohuang Wen, both graduate students in computer science and engineering at Ohio State. This research was supported by the National Science Foundation.

‘, ‘window.fbAsyncInit = function() {‘, ‘FB.init({‘, ‘appId:’216372371876365′,’, ‘xfbml:true,’, ‘version: ‘v2.6” , ‘});’ ]; ppLoadLater.placeholderFBSDK.push(‘};’); var ppFacebookSDK= [
‘(function(d, s, id) {‘,
‘var js, fjs = d.getElementsByTagName(s)[0];’, ‘if (d.getElementById(id)) return;’, ‘js = d.createElement(s); = id;’, ‘js.src = “”;’, ‘fjs.parentNode.insertBefore(js, fjs);’, ‘}( document, ‘script’, ‘facebook-jssdk’));’ ]; ppLoadLater.placeholderFBSDK = ppLoadLater.placeholderFBSDK.concat(ppFacebookSDK); ppLoadLater.placeholderFBSDK.push(‘‘); ppLoadLater.placeholderFBSDK = ppLoadLater.placeholderFBSDK.join(“n”);