Contact Tracing App DP3T: these are the risks of the Swiss solution

In the course of Crown crisis try different countries with the help of so-called Contact tracking applications Understand the infection strings and open them. In Switzerland there is the DP3T framework, which has the support of ETH Zurich and EPFL Lausanne It is developed, ready. This article shows what possibilities and risks the solution entails.

The of DP3T The approaches used are obviously intended to ensure maximum security and privacy for end users. The transparency practiced by the project is exemplary, both the documentation and an implementation example are available on GitHub. Various security-related procedures are used to ensure safe and as anonymous use as possible. These are used sensibly and testify to a high level of awareness of the risks that must be addressed. Unlike many other frameworks and products, the focus is on the needs of the end user. Therefore, the Swiss solution has some advantages over products from other countries and manufacturers.

The main active risks of DP3T, which were noted during the documentation and source text review, are summarized below. The document Privacy and Security Attacks on Digital Proximity Tracking Systems, which was published by the project, addresses some additional attack options. References in parentheses in this text refer to this document.

Installing any additional software naturally increases the Target from a terminal. An incorrect implementation can cause attackers to misuse applications in their own context or even leave the context.

Therefore, it is important that the implementation undergoes a thorough security check (concept review, source code analysis, penetration test).

After making a diagnosis, a person, along with their doctor, can declare themselves “infected” on their device. This information is sent to one centralized server Sent In addition, communication is established regularly to download current infections.

Someone who can read this communication, primarily providers and server operators, may endeavor to make statistical evaluations of these communications (NR 1, NR 2). When evaluating metadata, it is possible, for example, to identify contacts using ranges of IP addresses and geolocation. And fingerprints allow tracking of individual users. The more data there is, the easier it will be to discover identities and relationships. In this case, one has to trust that such an assessment is not carried out.

At DP3T you talk about one decentralized approach, because the storage and evaluation of the contact relationships is done exclusively on the end devices. Only IDs and infections are stored on the centralized server. This is the key advantage of the framework.

The app requires Bluetooth LE to be activated. This also increases the attack surface of the device. Vulnerabilities like CVE-2020-0022 (Android), CVE-2020-9770 (iOS) and CVE-2019-9506 (various platforms) show that the topic is very current.

Bluetooth and the respective implementations are expected to come into focus for different classes of attackers. An increase in vulnerability research and publication can be expected, as well as attacks and exploits in this area.

By general manipulation of basic Bluetooth communications, contacts can also be avoided (interference, GR 4) or counterfeit (extension, GR 1, GR 2).

Activating Bluetooth can make the device identifiable for other purposes (GR 5, GR 6). For example, targeted advertising can be implemented through proximity (proximity marketing). Users who want to counter this would have to give up using the app with Bluetooth.

An attacker can implement their own implementation of the smartphone application, which is saved in a separate account after each contact with another device (IR 1, GR 3). In addition, other identifying characteristics such as time, GPS– You can create the position, the name of the nearby access points, etc.

If a known device is marked “infected”, it is easier to draw conclusions about which device it was and where the contact took place through the company’s own minimized documentation.

Implementing such an attack requires greater technical understanding and criminal power requirements. Also, the star evaluation option remains limited as ultimately only users who could be created in a personal contact can be anonymized. Broad-based de-anonymisation, especially of people outside of personal contact, is not possible.

The introduction of decentralization addresses the security concerns of end users. At the same time, however, there are restrictions to centralized evaluation.

The Federal Council o HANDBAG (Federal Office of Public Health), therefore, cannot better understand trends in the geographic context. It is not possible to say exactly if dangerous areas are developing in certain parts of Switzerland, which means that a useful strategic tool is being given away.

The design and implementation of the framework do everything possible to minimize weaknesses and risks. The general statement as decentralized solution You can vote for the evaluation of personal contact relationships. However, a central database server is used to provide end devices with the latest data on verified infections.

Generally speaking, the framework solves all security and privacy problems is naive. Certain residual risks remain. Therefore, if you want to use this application as a participant and to what extent you must resist your personal consideration.

About the Author

Marc Ruef He has been active in the cybersecurity sector since the late 1990s. He has published primarily in the German-speaking area due to the large number of Specialized publications and books – This particularly includes the art of penetration testing: gaining fame. He is Professor at various universities, including ETH, HWZ, HSLU and IKF. (ORCID Icsoft0002-1328-6357)

Left