%0 Journal Article %1 mindthegap %A Baumgärtner, Lars %A Dmitrienko, Alexandra %A Freisleben, Bernd %A Gruler, Alexander %A Höchst, Jonas %A Kühlberg, Joshua %A Mezini, Mira %A Mitev, Richard %A Miettinen, Markus %A Muhamedagic, Anel %A Nguyen, Thien Duc %A Penning, Alvar %A Pustelnik, Dermot Frederik %A Roos, Filipp %A Sadeghi, Ahmad-Reza %A Schwarz, Michael %A Uhl, Christian %D 2020 %J ArXiv | arXiv:2006.05914v2 %K TraceCORONA myown sss-group technical-reports %T Mind the GAP: Security & Privacy Risks of Contact Tracing Apps %U https://arxiv.org/abs/2006.05914 %X Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy, the so-called "Google/Apple Proposal", which we abbreviate by "GAP". We demonstrate that in real-world scenarios the current GAP design is vulnerable to (i) profiling and possibly de-anonymizing infected persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts with the potential of affecting the accuracy of an app-based contact tracing system. For both types of attack, we have built tools that can easily be used on mobile phones or Raspberry Pis (e.g., Bluetooth sniffers). The goal of our work is to perform a reality check towards possibly providing empirical real-world evidence for these two privacy and security risks. We hope that our findings provide valuable input for developing secure and privacy-preserving digital contact tracing systems.

@article{mindthegap, abstract = {Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy, the so-called "Google/Apple Proposal", which we abbreviate by "GAP". We demonstrate that in real-world scenarios the current GAP design is vulnerable to (i) profiling and possibly de-anonymizing infected persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts with the potential of affecting the accuracy of an app-based contact tracing system. For both types of attack, we have built tools that can easily be used on mobile phones or Raspberry Pis (e.g., Bluetooth sniffers). The goal of our work is to perform a reality check towards possibly providing empirical real-world evidence for these two privacy and security risks. We hope that our findings provide valuable input for developing secure and privacy-preserving digital contact tracing systems.}, added-at = {2020-06-16T11:54:37.000+0200}, archiveprefix = {arXiv}, author = {Baumgärtner, Lars and Dmitrienko, Alexandra and Freisleben, Bernd and Gruler, Alexander and Höchst, Jonas and Kühlberg, Joshua and Mezini, Mira and Mitev, Richard and Miettinen, Markus and Muhamedagic, Anel and Nguyen, Thien Duc and Penning, Alvar and Pustelnik, Dermot Frederik and Roos, Filipp and Sadeghi, Ahmad-Reza and Schwarz, Michael and Uhl, Christian}, biburl = {https://www.bibsonomy.org/bibtex/252e25ce624ae9cbc22610a710257c50f/sssgroup}, day = 11, eprint = {2006.05914}, interhash = {cce52af6121990fb940dc893ad77a23d}, intrahash = {52e25ce624ae9cbc22610a710257c50f}, journal = {ArXiv | arXiv:2006.05914v2}, keywords = {TraceCORONA myown sss-group technical-reports}, month = jun, primaryclass = {cs.CR}, timestamp = {2021-12-11T17:51:03.000+0100}, title = {Mind the GAP: Security & Privacy Risks of Contact Tracing Apps}, url = {https://arxiv.org/abs/2006.05914}, year = 2020 }