Google/Apple Contact Tracing Apps Vulnerable to Digital Attacks – The Ohio State University News | Hot Mobile Press

Since the beginning of the COVID-19 pandemic, scientists and public health officials have relied on contact tracing technologies to contain the spread of the virus. However, there is a major flaw in a framework that many of these mobile apps use – one that attackers could exploit to boost false positive notifications.

Apps powered by the Google/Apple Exposure Notification Framework (GAEN) are widely used in many countries and work more efficiently in the background of your phone. However, Ohio State University researchers said they found that these apps are vulnerable to geo-based replay attacks; remote location.

Replay attacks can be used to exploit electronic vulnerabilities to gain access to digital networks, cause harmful effects on mobile devices, or poison records with false information. Given how much society relies on honest health data, bad information can be particularly damaging when it comes to tracking COVID-19, the study co-author said Anish Arora, Professor and Chair of Computer Science and Engineering at Ohio State University.

“Hackers or nation-state actors could potentially exploit an honest user and replay their contact tracing data anywhere in the world,” Arora said.

For example, if someone in Columbus with COVID-19 had their contact tracing beacon data collected by a third party, their information could be transferred to one or more other cities thousands of miles away and onward to others nearby. If that person were diagnosed positive for COVID-19, someone who has not actually been in contact with an infected person could be alerted.

That means attackers could essentially create digital superspreaders and start a process that splits clusters of misilluminated beacons in different areas, Arora said.

“Because the framework acts as a wireless protocol, anyone can inject some sort of fake exposure, and those fake encounters could disrupt public trust in the system,” he said.

Although an increase in false positive notifications would undermine the public good behind contact-tracing apps, co-author Zhiqiang LinProfessor the Computer Science and Engineering at Ohio State, said there could also be economic and social consequences, such as people missing work or canceling daily personal activities and long-planned vacations. That potential increases when testing is scarce or in economically disadvantaged countries that don’t have access to vaccines, added Lin, who has been studying cybersecurity vulnerabilities in digital software for over a decade.

However, researchers were able to develop a patch for this serious bug. “The hardest part was finding a solution that was convenient and didn’t prevent users from using the app,” Lin said.

The team developed a prototype based on Google and Apple’s original framework, which they called GAEN+, pronounced “Gain Plus”. After implementing it on an Android device (the prototype is also easily portable to Apple devices), they put the prototype through a series of experiments to test its defenses against malicious replay attacks. They concluded that, compared to Google and Apple’s framework, GAEN+ was able to effectively prevent false positives while maintaining user privacy.

The team introduced themselves her solution on July 12 at the annual meeting of the Symposium on Privacy Enhancing Technologies (PETS) conference, held this year in Sydney, Australia. Zhiqiang Lin

Lin said that while the team isn’t the first to find Google and Apple’s flaw, it is currently the first team to show the larger digital community how it can be used in a “low-cost, distributed way.” “Maybe they just thought it couldn’t have serious consequences,” he said. But overall, Lin describes her contact-tracing protocol change as “very minimal” for such a strong defense against potential attacks.

“Our enhancement protects privacy,” Arora said. Rather than relying on precise GPS data like other proposed fixes, GAEN+ uses raw location data from Wi-Fi access points and cell towers in a clever way that preserves anonymity, he said.

The team thanked Google for finding and fixing the vulnerability. To ensure GAEN+ is available to the public, the team put the source code for the fix on GitHub, a platform that hosts code online.

“When future developers design similar protocols, we make sure they have the opportunity to consider our recommendations,” Arora said. “Both companies have created a product that can do a lot of good in the world. We just want GAEN to be a lot harder to exploit.”

Other co-authors were Christopher Ellis and Haohuang Wen, both graduate students in computer science and engineering from Ohio State. This research was supported by the National Science Foundation.

Leave a Comment