Mind the GAP: Security & Privacy Risks of Contact Tracing Apps
- URL: http://arxiv.org/abs/2006.05914v2
- Date: Fri, 6 Nov 2020 13:27:07 GMT
- Title: Mind the GAP: Security & Privacy Risks of Contact Tracing Apps
- Authors: Lars Baumg\"artner (1), Alexandra Dmitrienko (3), Bernd Freisleben
(2), Alexander Gruler (2), Jonas H\"ochst (1 and 2), Joshua K\"uhlberg (1),
Mira Mezini (1), Richard Mitev (1), Markus Miettinen (1), Anel Muhamedagic
(1), Thien Duc Nguyen (1), Alvar Penning (2), Dermot Frederik Pustelnik (1),
Filipp Roos (3), Ahmad-Reza Sadeghi (1), Michael Schwarz (2), Christian Uhl
(2) ((1) TU Darmstadt, (2) Philipps-Universit\"at Marburg, (3) JMU
W\"urzburg)
- Abstract summary: Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy.
We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
- Score: 75.7995398006171
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Google and Apple have jointly provided an API for exposure notification in
order to implement decentralized contract tracing apps using Bluetooth Low
Energy, the so-called "Google/Apple Proposal", which we abbreviate by "GAP". We
demonstrate that in real-world scenarios the current GAP design is vulnerable
to (i) profiling and possibly de-anonymizing infected persons, and (ii)
relay-based wormhole attacks that basically can generate fake contacts with the
potential of affecting the accuracy of an app-based contact tracing system. For
both types of attack, we have built tools that can easily be used on mobile
phones or Raspberry Pis (e.g., Bluetooth sniffers). The goal of our work is to
perform a reality check towards possibly providing empirical real-world
evidence for these two privacy and security risks. We hope that our findings
provide valuable input for developing secure and privacy-preserving digital
contact tracing systems.
Related papers
- Protect Your Score: Contact Tracing With Differential Privacy Guarantees [68.53998103087508]
We argue that privacy concerns currently hold deployment back.
We propose a contact tracing algorithm with differential privacy guarantees against this attack.
Especially for realistic test scenarios, we achieve a two to ten-fold reduction in the infection rate of the virus.
arXiv Detail & Related papers (2023-12-18T11:16:33Z) - CoAvoid: Secure, Privacy-Preserved Tracing of Contacts for Infectious
Diseases [25.014640577594566]
This paper proposes CoAvoid, a decentralized, privacy-preserved contact tracing system.
CoAvoid leverages the Google/Apple Exposure Notification (GAEN) API to achieve decent device compatibility and operating efficiency.
Compared with four state-of-art contact tracing applications, CoAvoid can reduce upload data by at least 90% and simultaneously resist wormhole and replay attacks.
arXiv Detail & Related papers (2022-01-20T12:19:21Z) - Privacy-Preserving Infection Exposure Notification without Trust in
Third Parties [0.0]
We propose a privacy-preserving exposure notification under situations where none of the middle entities can be trusted.
We show that the level of verifiability is much higher with our proposed design if a consumer group were to verify the privacy protections of the deployed systems.
arXiv Detail & Related papers (2021-03-13T09:47:45Z) - A Critique of the Google Apple Exposure Notification (GAEN) Framework [1.7513645771137178]
Digital contact tracing has been proposed as a tool to support the health authorities in their quest to determine who has been in close and sustained contact with a person infected by the coronavirus.
In April 2020 Google and Apple released the Google Apple Exposure Notification framework, as a decentralised and more privacy friendly platform for contact tracing.
We argue that this creates a dormant functionality for mass surveillance at the operating system layer.
arXiv Detail & Related papers (2020-12-09T15:05:59Z) - Reconciling Security and Utility in Next-Generation Epidemic Risk Mitigation Systems [49.05741109401773]
We present Silmarillion, a system that reconciles user's privacy with rich data collection for higher utility.
In Silmarillion, user devices record Bluetooth encounters with beacons installed in strategic locations.
We describe the design of Silmarillion and its communication protocols that ensure user privacy and data security.
arXiv Detail & Related papers (2020-11-16T16:19:37Z) - Contact Tracing Made Un-relay-able [18.841230080121118]
SARS-CoV-2 pandemic put a heavy strain on the healthcare system of many countries.
Governments chose different approaches to face the spread of the virus.
Mobile apps allow to achieve a privacy-preserving contact tracing of citizens.
arXiv Detail & Related papers (2020-10-23T20:03:31Z) - Backdoor Attack against Speaker Verification [86.43395230456339]
We show that it is possible to inject the hidden backdoor for infecting speaker verification models by poisoning the training data.
We also demonstrate that existing backdoor attacks cannot be directly adopted in attacking speaker verification.
arXiv Detail & Related papers (2020-10-22T11:10:08Z) - BeeTrace: A Unified Platform for Secure Contact Tracing that Breaks Data
Silos [73.84437456144994]
Contact tracing is an important method to control the spread of an infectious disease such as COVID-19.
Current solutions do not utilize the huge volume of data stored in business databases and individual digital devices.
We propose BeeTrace, a unified platform that breaks data silos and deploys state-of-the-art cryptographic protocols to guarantee privacy goals.
arXiv Detail & Related papers (2020-07-05T10:33:45Z) - Decentralized Privacy-Preserving Proximity Tracing [50.27258414960402]
DP3T provides a technological foundation to help slow the spread of SARS-CoV-2.
System aims to minimise privacy and security risks for individuals and communities.
arXiv Detail & Related papers (2020-05-25T12:32:02Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.