论文标题
注意差距:安全与隐私风险与跟踪应用程序的联系
Mind the GAP: Security & Privacy Risks of Contact Tracing Apps
论文作者
论文摘要
Google和Apple共同提供了用于接触通知的API,以便使用蓝牙低能(所谓的“ Google/Apple提案”)实施分散的合同跟踪应用程序,我们通过“ GAP”缩写了该应用程序。我们证明,在现实情况下,当前的差距设计容易受到(i)分析和可能被匿名化的感染者的攻击,并且(ii)基于中继的虫孔攻击基本上可以产生伪造的联系,具有影响基于应用程序的触点跟踪系统的准确性的潜力。对于两种类型的攻击,我们都构建了可以在手机或覆盆子PI(例如蓝牙嗅探器)上轻松使用的工具。我们工作的目的是进行现实检查,以提供可能为这两个隐私风险提供经验的现实证据。我们希望我们的发现为开发安全和隐私的数字联系跟踪系统提供宝贵的意见。
Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy, the so-called "Google/Apple Proposal", which we abbreviate by "GAP". We demonstrate that in real-world scenarios the current GAP design is vulnerable to (i) profiling and possibly de-anonymizing infected persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts with the potential of affecting the accuracy of an app-based contact tracing system. For both types of attack, we have built tools that can easily be used on mobile phones or Raspberry Pis (e.g., Bluetooth sniffers). The goal of our work is to perform a reality check towards possibly providing empirical real-world evidence for these two privacy and security risks. We hope that our findings provide valuable input for developing secure and privacy-preserving digital contact tracing systems.
