September 4, 2020
This year, the tech giants Apple and Google teamed up to put their extensive joint resources to develop a COVID-19 tracing solution.
The result will mechanically use people’s smartphones to keep tabs on their vicinity to other phones and alerts users if someone nearby has a definite diagnosis.
Unfortunately, an exploit has been revealed in the closed-source project that might highlight fears about Apple and Google phones that are spontaneously tracking a person’s vicinity to others continuously.
This week, Serge Vaudenay (EPFL) and Martin Vuagnoux (base23) posted a video in Vimeo that shows how the exploit happens; it was learned in Switzerland’s SwissCovid tracing app; this is based on the code delivered by the Apple/Google framework.
This attack is named the “Little Thumb” from the classic French story (same as Hansel and Gretel), in which a boy leaves pebbles to mark his trail. This is because the video creators learned that the Bluetooth LE-based system goes what the little stones of data can be used to trail someone’s activities and possibly identify them.
They found the Bluetooth LE’s numeric address and the framework’s progressing proximity ID do not necessarily update at the same time; it left little windows in which the Bluetooth address resembles the old ID – a pebble to trace. They could snoop on messages from up to 50 meters using a “cheap and basic antenna,” they wrote.
“This is real, passive Bluetooth capture of SwissCovid. An adversary is able to correlate the previous and new BR_ADDR and RPI thanks to the ‘pebble’ message in the middle,” reads the text in the video. “Thus, the adversary can continuously trace the user of the SwissCovid app. This should not happen for more than 15 minutes.”
Discovering the SwissCovid app’s issue for the first time, they have confirmed the exploit worked across the other apps built using the Apple/Google framework: Austria’s Stopp Corona, Germany’s Corona-Warn, and Italy’s Immuni. With SwissCovid, the attack functioned on five out of the eight well-matched phones they have tested.
Being the SwissCovid app a public domain, the Google Apple Exposure Notification (GAEN) framework behind it and many other such apps is closed source – and there’s no way to patch it. The video states that even though Apple and Google released an incomplete extract of code for the framework, it is not a genuinely open-source project; this explains that the community cannot audit the code and address possible concerns.
To secure COVID-19 symptom tracing apps, some developers have tried to use blockchain. Other smaller-scale apps made to try and help users like CoronaTracker, and California lawmakers have proposed a statewide blockchain-driven tracing system.
Both the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) have come out in contradiction of a blockchain-based system have cited latent privacy issues. An EFF senior staff attorney Adam Schwartz said in August;
“In short, this bill is a blockchain solution in search of a problem, and COVID-19 is a problem that will not be so easily solved,”
No Comment