Mind the GAP: Security Privacy Risks of Contact Tracing Apps

by   Lars Baumgärtner, et al.

Contact tracing apps running on mobile devices promise to reduce the manual effort required for identifying infection chains and to increase the tracing accuracy in the presence of COVID-19. Several contract tracing apps have been proposed or deployed in practice. Also Google and Apple have announced their joint effort of providing an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy, the so-called "Google/Apple Proposal", which we abbreviate by "GAP". Some countries have already decided or are planning to base their contact tracing apps on GAP. Several researchers have pointed out potential privacy and security risks related to most of the contact tracing approaches proposed until now, including those that claim privacy protection and are based on GAP. This report makes a first attempt towards providing empirical evidence in real-world scenarios for two such risks discussed in the literature: one concerning privacy, and the other one concerning security. In particular, we focus on a practical analysis of GAP, given that it is the foundation of several tracing apps. We demonstrate that in real-world scenarios the current GAP design is vulnerable to (i) profiling and possibly de-anonymizing infected persons, and (ii) relay-based wormhole attacks that principally can generate fake contacts with the potential of significantly affecting the accuracy of an app-based contact tracing system. For both types of attack, we have built tools that can be easily used on mobile phones or Raspberry Pis (e.g., Bluetooth sniffers). We hope that our findings provide valuable input in the process of testing and certifying contact tracing apps, e.g., as planned for the German Corona-Warn-App, ultimately guiding improvements for secure and privacy-preserving design and implementation of digital contact tracing systems.


page 9

page 12

page 13


Contact Tracing Made Un-relay-able

Automated contact tracing is a key solution to control the spread of air...

A Security Privacy Analysis of US-based Contact Tracing Apps

With the onset of COVID-19, governments worldwide planned to develop and...

Dissecting contact tracing apps in the Android platform

Contact tracing has historically been used to decelerate the spread of i...

SpreadMeNot: A Provably Secure and Privacy-Preserving Contact Tracing Protocol

Contact tracing via mobile applications is gaining significant traction ...

Digital Contact Tracing Solutions: Promises, Pitfalls and Challenges

The COVID-19 pandemic has caused many countries to deploy novel digital ...

Privacy Guarantees of BLE Contact Tracing: A Case Study on COVIDWISE

Google and Apple jointly introduced a digital contact tracing technology...

An Empirical Evaluation of Bluetooth-based Decentralized Contact Tracing in Crowds

Digital contact tracing is being used by many countries to help contain ...

Please sign up or login with your details

Forgot password? Click here to reset