Privacy Bug Found In Apple, Google COVID-Tracing Framework

European apps using the code can be attacked to “continuously trace” users, which probably isn’t what people wanted to opt into. Privacy Bug Found in Apple, Google COVID-Tracing Framework

In Brief

* A privacy exploit was discovered in apps using the Google/Apple COVID-19 tracing framework.

* The attack can be used to “continuously trace” users via their smartphones.

* The Google/Apple framework is proprietary and closed-source.

In April, tech giants Apple and Google teamed up to put their considerable combined resources toward developing a COVID-19 tracing solution.

For those who opt in, the solution automatically uses people’s own smartphones to keep tabs on their proximity to other phones and alerts users if someone they were near has a confirmed diagnosis.

However, an exploit has been discovered in the closed-source project that might stoke fears about Apple and Google phones automatically tracking a person’s proximity to others on a constant basis.

Serge Vaudenay (EPFL) and Martin Vuagnoux (base23) posted a video to Vimeo this week (via Hackaday) that demonstrates the exploit, which they discovered in Switzerland’s SwissCovid tracing app, which is based on the code provided by the Apple/Google framework.

The “Little Thumb” attack is named after the classic French story (similar to Hansel and Gretel). in which a boy leaves pebbles to mark his trail.

That’s because the creators of the video discovered that the Bluetooth LE-based system leaves what they call little pebbles of data, which can be used to trace someone’s movements and potentially identify them.

Essentially, they found Bluetooth LE’s numeric address and the framework’s own rolling proximity ID do not necessarily update at the same time, leaving little windows in which the Bluetooth address corresponds with the old ID—a pebble to trace.

They were able to eavesdrop on messages from up to 50 meters using a “cheap and basic antenna,” they wrote.

“This is real, passive Bluetooth capture of SwissCovid. An adversary is able to correlate the previous and new BR_ADDR and RPI thanks to the ‘pebble’ message in the middle,” reads the text in the video.

“Thus, the adversary can continuously trace the user of the SwissCovid app. This should not happen for more than 15 minutes.”

While they first discovered the issue in the SwissCovid app, they confirmed the exploit worked across other apps built using the Apple/Google framework: Italy’s Immuni, Germany’s Corona-Warn, and Austria’s Stopp Corona. With SwissCovid, the attack worked on five out of the eight compatible phones they tested.

Privacy Bug Found In,Privacy Bug Found In,Privacy Bug Found In,



 

Related Articles:



Carolyn’s Natural Organic Handmade Soap

Essential Oils User’s Guide

We Now Live In A World With Customized Bar Soaps, Lotions And Shampoos

Why Interior Designers And Home Stagers Prefer Bar Soap Over Liquid

Parabens: A Cancer-Causing And DNA-Damaging Preservative Used In The Food And Cosmetic Industries

Our Facebook Page

 

Your Questions And Comments Are Greatly Appreciated.

Carolyn A.


Testimonials

Lara Smith

I really like this soap. Great price a a nice mild scent. I do not care for overly scented products and this was fine.
This would make a great gift!

Lara Smith

I really like this soap. Great price a a nice mild scent. I do not care for overly scented products and this was fine.
This would make a great gift!

Tina A.

Customer

Great price a a nice mild scent. I do not care for overly scented products and this was fine.
This would make a great gift! I really like this soap.

Tina A.

Customer

Great price a a nice mild scent. I do not care for overly scented products and this was fine.
This would make a great gift! I really like this soap.