A research team from the Technical University of Darmstadt, the University of Marburg and the University of Würzburg has demonstrated and confirmed vulnerabilities related to data protection and security of the Google and Apple specification for contact tracing apps under real-world conditions. The German contact tracing app developed by Deutsche Telekom and SAP on behalf of the German government is based on this approach. Also the Swiss and Italian contact tracing apps utilise this tracing technology.
Through experiments in real-world scenarios, the research team showed that risks already known on a theoretical level can be exploited in real life using commonly used technical means. This attack allows an external attacker to create detailed movement profiles of persons infected with COVID-19 and, under certain circumstances, identify them. On the other hand, an attacker can also manipulate the collected contact tracing information through so-called relay attacks, which can impair the accuracy and reliability of the entire contact tracing system.
Contact tracing apps on mobile devices promise the possibility of significantly reducing the manual effort needed to identify contact chains of infected persons and increasing the coverage of contact tracing. One of the most well-known suggestions for contact tracing comes from a collaboration of the companies Google and Apple. It is expected that the two US companies will integrate this new approach as a standard functionality into their respective mobile operating systems, Android and iOS. Some countries, including Germany, have already chosen this approach in their national contact tracing app projects.
The starting point for the experiments of the IT security experts from the three universities were previously published reports on possible data protection and security risks of the so-called “Google Apple Protocol” (GAP). The research team tested whether the attacks described on a conceptual level could be carried out in practice. Their experiments showed that GAP is susceptible to user movement profiling and may therefore allow an attacker to de-anonymize infected persons. On the other hand, so-called relay or wormhole attacks are also possible in GAP, which means that attackers can generate incorrect contact tracing data and negatively impact the accuracy and correctness of the overall system.
The research team implemented the attacks using commercially available inexpensive tools such as Bluetooth sniffers (as an app on smartphones or on Raspberry Pis), which can also be used in mobile environments. Since the implementation of the GAP approach is not yet available to the broader scientific community, the research team constructed the attacks based on previously published specifications. The results show that with the help of strategically placed sensors in a certain area, the movements of infected persons, simulated by test subjects in their experiments, could be reconstructed in detail. It was possible to identify sensitive places the test subjects visited as well as possible social relationships between them.
The vulnerability of GAP to so-called relay or wormhole attacks also reveals weaknesses. This attack enables an attacker to collect the Bluetooth IDs generated by contact tracing apps, and to pass them on to more distant locations without being noticed. Among other things, Bluetooth IDs were successfully transmitted between two cities 40 kilometres apart. This could allow an attacker to compromise the contact tracing system as a whole by falsely duplicating information about the presence of infected persons in many locations, which could result in a significant increase in false alarms about the potential contacts with infected persons.
Overall, the research team sees urgent need for improvement in the approach proposed by Google and Apple for contact tracing apps.
A detailed description of the experiments and their results can be found in the full study report.