Baumgärtner, Lars ; Dmitrienko, Alexandra ; Freisleben, Bernd ; Gruler, Alexander ; Höchst, Jonas ; Kühlberg, Joshua ; Mezini, Mira ; Mitev, Richard ; Miettinen, Markus ; Muhamedagic, Anel ; Nguyen, Thien Duc ; Penning, Alvar ; Pustelnik, Frederik ; Roos, Filipp ; Sadeghi, Ahmad-Reza ; Schwarz, Michael ; Uhl, Christian (2020):
Mind the GAP: Security & Privacy Risks of Contact Tracing Apps.
In: Proceedings : 2020 IEEE 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 458-467,
IEEE, TrustCom 2020, virtual Conference, 29.12.2020-01.01.2021, ISBN 978-0-7381-4380-4,
[Conference or Workshop Item]
Abstract
Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy, the so-called "Google/Apple Proposal", which we abbreviate by "GAP". We demonstrate that in real-world scenarios the current GAP design is vulnerable to (i) profiling and possibly de-anonymizing infected persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts with the potential of affecting the accuracy of an app-based contact tracing system. For both types of attack, we have built tools that can easily be used on mobile phones or Raspberry Pis (e.g., Bluetooth sniffers). The goal of our work is to perform a reality check towards possibly providing empirical real-world evidence for these two privacy and security risks. We hope that our findings provide valuable input for developing secure and privacy-preserving digital contact tracing systems.
Item Type: | Conference or Workshop Item |
---|---|
Erschienen: | 2020 |
Creators: | Baumgärtner, Lars ; Dmitrienko, Alexandra ; Freisleben, Bernd ; Gruler, Alexander ; Höchst, Jonas ; Kühlberg, Joshua ; Mezini, Mira ; Mitev, Richard ; Miettinen, Markus ; Muhamedagic, Anel ; Nguyen, Thien Duc ; Penning, Alvar ; Pustelnik, Frederik ; Roos, Filipp ; Sadeghi, Ahmad-Reza ; Schwarz, Michael ; Uhl, Christian |
Title: | Mind the GAP: Security & Privacy Risks of Contact Tracing Apps |
Language: | English |
Abstract: | Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy, the so-called "Google/Apple Proposal", which we abbreviate by "GAP". We demonstrate that in real-world scenarios the current GAP design is vulnerable to (i) profiling and possibly de-anonymizing infected persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts with the potential of affecting the accuracy of an app-based contact tracing system. For both types of attack, we have built tools that can easily be used on mobile phones or Raspberry Pis (e.g., Bluetooth sniffers). The goal of our work is to perform a reality check towards possibly providing empirical real-world evidence for these two privacy and security risks. We hope that our findings provide valuable input for developing secure and privacy-preserving digital contact tracing systems. |
Book Title: | Proceedings : 2020 IEEE 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications |
Publisher: | IEEE |
ISBN: | 978-0-7381-4380-4 |
Uncontrolled Keywords: | contact tracing |
Divisions: | 20 Department of Computer Science 20 Department of Computer Science > System Security Lab DFG-Collaborative Research Centres (incl. Transregio) DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres Profile Areas Profile Areas > Cybersecurity (CYSEC) DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres > CRC 1119: CROSSING – Cryptography-Based Security Solutions: Enabling Trust in New and Next Generation Computing Environments |
Event Title: | TrustCom 2020 |
Event Location: | virtual Conference |
Event Dates: | 29.12.2020-01.01.2021 |
Date Deposited: | 03 Feb 2021 15:16 |
PPN: | |
Corresponding Links: | |
Export: | |
Suche nach Titel in: | TUfind oder in Google |
![]() |
Send an inquiry |
Options (only for editors)
![]() |
Show editorial Details |