Mind the GAP: Security & Privacy Risks of Contact Tracing Apps

TL;DR

This paper reveals significant security and privacy vulnerabilities in the Google/Apple Exposure Notification API, demonstrating real-world attacks that can de-anonymize users and generate fake contact events, impacting contact tracing accuracy.

Contribution

It provides empirical evidence of privacy and security flaws in the GAP design and introduces practical tools to exploit these vulnerabilities.

Findings

Vulnerable to profiling and de-anonymization of infected persons.

Susceptible to relay-based wormhole attacks creating fake contacts.

Tools for attack demonstration are easily deployable on common devices.

Abstract

Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy, the so-called "Google/Apple Proposal", which we abbreviate by "GAP". We demonstrate that in real-world scenarios the current GAP design is vulnerable to (i) profiling and possibly de-anonymizing infected persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts with the potential of affecting the accuracy of an app-based contact tracing system. For both types of attack, we have built tools that can easily be used on mobile phones or Raspberry Pis (e.g., Bluetooth sniffers). The goal of our work is to perform a reality check towards possibly providing empirical real-world evidence for these two privacy and security risks. We hope that our findings provide valuable input for developing secure and privacy-preserving digital contact tracing systems.