Mind the GAP: Security & Privacy Risks of Contact Tracing Apps
This work addresses security and privacy risks in digital contact tracing systems, which is critical for public health and user safety, though it is incremental in identifying specific vulnerabilities.
The paper demonstrates that the Google/Apple Proposal (GAP) for contact tracing apps is vulnerable to profiling/de-anonymization of infected persons and relay-based wormhole attacks, using built tools on mobile devices to provide empirical evidence.
Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy, the so-called "Google/Apple Proposal", which we abbreviate by "GAP". We demonstrate that in real-world scenarios the current GAP design is vulnerable to (i) profiling and possibly de-anonymizing infected persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts with the potential of affecting the accuracy of an app-based contact tracing system. For both types of attack, we have built tools that can easily be used on mobile phones or Raspberry Pis (e.g., Bluetooth sniffers). The goal of our work is to perform a reality check towards possibly providing empirical real-world evidence for these two privacy and security risks. We hope that our findings provide valuable input for developing secure and privacy-preserving digital contact tracing systems.