Smartphones in a Microwave: Formal and Experimental Feasibility Study on Fingerprinting the Corona-Warn-App

TL;DR

This study investigates the privacy vulnerabilities of COVID-19 contact tracing apps, revealing that device-specific Bluetooth broadcast timing can be exploited to fingerprint and potentially re-identify users, posing privacy risks.

Contribution

The paper provides the first formal and experimental analysis demonstrating that Bluetooth broadcast timing differences can be used to fingerprint smartphones in contact tracing apps.

Findings

Device-specific Bluetooth broadcast latency observed in CWA

Timing differences enable passive fingerprinting of smartphones

Potential privacy risks include user re-identification

Abstract

Contact Tracing Apps (CTAs) have been developed to contain the coronavirus disease 19 (COVID-19) spread. By design, such apps invade their users' privacy by recording data about their health, contacts, and partially location. Many CTAs frequently broadcast pseudorandom numbers via Bluetooth to detect encounters. These numbers are changed regularly to prevent individual smartphones from being trivially trackable. However, the effectiveness of this procedure has been little studied. We measured real smartphones and observed that the German Corona-Warn-App (CWA) exhibits a device-specific latency between two subsequent broadcasts. These timing differences provide a potential attack vector for fingerprinting smartphones by passively recording Bluetooth messages. This could conceivably lead to the tracking of users' trajectories and, ultimately, the re-identification of users.