Computer Security Laboratory Challenges in Digital Contact Tracing Zhiqiang Lin [email protected] 11/06/2020 THE OHIO STATE UNIVERSITY Introduction Challenges Discussion References COVID-19 Pandemic Source: https://coronavirus.jhu.edu/map.html 1 / 10 I Proximity Tracing (e.g., w/ Bluetooth Low Energy) Introduction Challenges Discussion References Contact Tracing Manual Contact Tracing I Limited Scalability I Potential Delays Digital Contact Tracing I Location Tracing I Continuous Coordinates-based Data (e.g., GPS) I Discrete Places-based Data (e.g., QR code check in) Source: https://www.aegis.com/contact-tracing-company/ 2 / 10 Introduction Challenges Discussion References Contact Tracing Manual Contact Tracing I Limited Scalability I Potential Delays Digital Contact Tracing I Location Tracing I Continuous Coordinates-based Data (e.g., GPS) I Discrete Places-based Data (e.g., QR code check in) Source: https://www.aegis.com/contact-tracing-company/ I Proximity Tracing (e.g., w/ Bluetooth Low Energy) 2 / 10 2 Phone broadcasts temp ID 3 Apps exchange temp IDs 4 App stores contact event locally Introduction Challenges Discussion References How Does BLE-based Contact Tracing Work? Workflow 1 App generates temp ID 3 / 10 3 Apps exchange temp IDs 4 App stores contact event locally Introduction Challenges Discussion References How Does BLE-based Contact Tracing Work? The Workflow 1 App generates temp ID 2 Phone broadcasts temp ID 3 / 10 4 App stores contact event locally Introduction Challenges Discussion References How Does BLE-based Contact Tracing Work? The Workflow 1 App generates temp ID 2 Phone broadcasts temp ID 3 Apps exchange temp IDs, ... 3 / 10 Introduction Challenges Discussion References How Does BLE-based Contact Tracing Work? The Workflow 1 App generates temp ID 2 Phone broadcasts temp ID 3 Apps exchange temp IDs, ... 4 App stores contact event locally 3 / 10 I. Centralized System I Infected user uploads contact events I Server notifies users with high infection risk Protocol BlueTrace [blua] PEPP-PT [HOM] Introduction Challenges Discussion References Notification Mechanisms of BLE-based Contact Tracing 4 / 10 I Server notifies users with high infection risk Protocol BlueTrace [blua] PEPP-PT [HOM] Introduction Challenges Discussion References Notification Mechanisms of BLE-based Contact Tracing I. Centralized System I Infected user uploads contact events 4 / 10 Protocol BlueTrace [blua] PEPP-PT [HOM] Introduction Challenges Discussion References Notification Mechanisms of BLE-based Contact Tracing I. Centralized System I Infected user uploads contact events I Server notifies users with high infection risk 4 / 10 Introduction Challenges Discussion References Notification Mechanisms of BLE-based Contact Tracing I. Centralized System I Infected user uploads contact events I Server notifies users with high infection risk Protocol BlueTrace [blua] PEPP-PT [HOM] 4 / 10 I All users downloads contact events of infected user periodically I Each user calculates own infection risk Protocol DP3T [TPH+20], TCN [NPL+] Apple&Google [App] Introduction Challenges Discussion References Notification Mechanisms of BLE-based Contact Tracing II. Decentralized System I Infected user uploads contact events 4 / 10 I Each user calculates own infection risk Protocol DP3T [TPH+20], TCN [NPL+] Apple&Google [App] Introduction Challenges Discussion References Notification Mechanisms of BLE-based Contact Tracing II. Decentralized System I Infected user uploads contact events I All users downloads contact events of infected user periodically 4 / 10 Protocol DP3T [TPH+20], TCN [NPL+] Apple&Google [App] Introduction Challenges Discussion References Notification Mechanisms of BLE-based Contact Tracing II. Decentralized System I Infected user uploads contact events I All users downloads contact events of infected user periodically I Each user calculates own infection risk 4 / 10 Introduction Challenges Discussion References Notification Mechanisms of BLE-based Contact Tracing II. Decentralized System I Infected user uploads contact events I All users downloads contact events of infected user periodically I Each user calculates own infection risk Protocol DP3T [TPH+20], TCN [NPL+] Apple&Google [App] 4 / 10 Introduction Challenges Discussion References Challenges in BLE-based Contact Tracing Apps Privacy: Sensitive Data Leakage Accuracy: Unreliable RSSI I BLE Technique I Internal Affecting Factors I Tracking BLE Devices I Hardware Specifications I Fingerprinting Apps I Software Configurations I Contact Tracing System I External Affecting Factors I User Identity I Invisible Radio Waves I Sensitive Data Collection I Visible Physical Obstacles 5 / 10 Introduction Challenges Discussion References Challenges in BLE-basedfile:///Users/mac/Dropbox/BLE_HeatMap2_downtown_new Contact Tracing Apps 5/15/2019 Privacy: Sensitive Data Leakage I BLE Technique I Tracking BLE Devices I Fingerprinting Apps I Contact Tracing System I User Identity.html I Sensitive Data Collection Locating BLE devices with Fingerprinted Apps [ZWLZ19] Google Maps - pygmaps 5 / 10 Map data ©2019 Google ©2019 Map data Repor t a maperr t or 1 / 1 Introduction Challenges Discussion References Challenges in BLE-based Contact Tracing Apps Privacy: Sensitive Data Leakage Leakage I BLE Technique I Tracking BLE Devices I Fingerprinting Apps I Contact Tracing System I User Identity I Sensitive Data Collection BLE contact tracing sniffer PoC [ose] 5 / 10 Introduction Challenges Discussion References Challenges in BLE-based Contact Tracing Apps Accuracy: Unreliable RSSI I Internal Affecting Factors I Hardware Specifications I Software Configurations I External Affecting Factors I Invisible Radio Waves I Visible Physical Obstacles Source: Why to use Bluetooth for contact tracing? [Sei] 5 / 10 Introduction Challenges Discussion References Challenges in BLE-based Contact Tracing Apps Accuracy: Unreliable RSSI I Internal Affecting Factors I Hardware Specifications I Software Configurations I External Affecting Factors I Invisible Radio Waves I Visible Physical Obstacles Source: Opentrace Calibration [ope] 5 / 10 Introduction Challenges Discussion References Challenges in BLE-based Contact Tracing Apps Accuracy: Unreliable RSSI I Internal Affecting Factors I Hardware Specifications I Software Configurations I External Affecting Factors I Invisible Radio Waves I Visible Physical Obstacles Source: Opentrace Calibration [ope] 5 / 10 Introduction Challenges Discussion References Challenges in BLE-based Contact Tracing Apps 1 . 2 AdvertiseSettings$Builder v0 = new AdvertiseSettings$Builder() .setAdvertiseMode(1) .setConnectable(false) .setTxPowerLevel(3).build(); Accuracy: Unreliable RSSI 3 AdvertiseData$Builder v1 = new AdvertiseData$Builder() .addServiceUuid(GUUID) .addServiceData(DATAUUID, DATA) I Internal Affecting Factors .build(); 4 . I Hardware Specifications 5 static double calculateDistance(int rssi) { 6 if(rssi != 0) { I Software Configurations 7 double v0 = (((double)rssi)) * 1 / -69; 8 if(v0 < 1) { 9 return Math.pow(v0, 10); I External Affecting Factors 10 } 11 return Math.min( I Invisible Radio Waves Math.pow(v0, 7.7095) * 0.89976 + 0.111, 20); I Visible Physical Obstacles 12 } 13 return 0; 14 } 15 . 5 / 10 Introduction Challenges Discussion References Challenges in BLE-based Contact Tracing Apps Accuracy: Unreliable RSSI I Internal Affecting Factors I Hardware Specifications I Software Configurations I External Affecting Factors I Invisible Radio Waves I Visible Physical Obstacles Source: Swarun Kumar's Presentation in imPACT 2020 [imP] 5 / 10 Introduction Challenges Discussion References Our Measurement Study: COVID-19 Mobile App Collection Figure: Distribution of 41 contact tracing apps as of June 15, 2020. 6 / 10 Introduction Challenges Discussion References Our Findings: 20 BLE-based Contact Tracing Apps Findings App Country C1 C2 C3 C4 P1 P2 F1 F2 COVIDSafe Australia 0 4 0 3 4 7 4 Static 10 apps broadcast static UUIDs that enable app Stop Corona Austria 0 4 - 3 7 4 7 Dynamic I BeAware Bahrain 0 4 -/- 2 - 7 4 Dynamic fingerprinting [ZWLZ19][CC19]. CoronApp Colombia 0 4 0/1 3 4 7 4 Static eRouska Czech 0 7 0/0 2 7 7 7 Static I Two apps store fixed user identifiers in their Aarogya Setu India 0 4 1/0 0 7 7 7 Static readable characteristics, which allows tracking of StopKorona North Macedonia 0 7 -/1 3 7 4 7 Static MyTrace Malaysia 0 4 1 1 7 7 7 Dynamic a specific user CovidRadar Mexico 0 4 -/0 0 7 7 7 Dynamic Contact tracing apps often collect other device Smittestopp Norway 0 4 0 2 7 7 7 Static I ProteGO Poland 0 4 -/1 2 7 7 7 Dynamic information (e.g., system version, and phone Ehteraz Qatar 0 7 0/0 2 7 7 7 Dynamic model), possibly for increasing the estimation Trace Together Singapore 0 4 0/1 3 7 7 7 Static + MorChana Thailand 0 4 - 2 7 4 7 Static precision [Blub][ZWL 20] Hayat Eve Sigar Turkey 0 4 0 1 7 7 7 Static NHS COVID-19 App UK 0 4 1/1 2 7 7 7 Static 7 / 10 Introduction Challenges Discussion References Our Findings: 20 BLE-based Contact Tracing Apps Findings App Country C1 C2 C3 C4 P1 P2 F1 F2 COVIDSafe Australia 0 4 0 3 4 7 4 Static 10 apps broadcast static UUIDs that enable app Stop Corona Austria 0 4 - 3 7 4 7 Dynamic I BeAware Bahrain 0 4 -/- 2 - 7 4 Dynamic fingerprinting [ZWLZ19][CC19]. CoronApp Colombia 0 4 0/1 3 4 7 4 Static eRouska Czech 0 7 0/0 2 7 7 7 Static I Two apps store fixed user identifiers in their Aarogya Setu India 0 4 1/0 0 7 7 7 Static readable characteristics, which allows tracking of StopKorona North Macedonia 0 7 -/1 3 7 4 7 Static MyTrace Malaysia 0 4 1 1 7 7 7 Dynamic a specific user CovidRadar Mexico 0 4 -/0 0 7 7 7 Dynamic Contact tracing apps often collect other device Smittestopp Norway 0 4 0 2 7 7 7 Static I ProteGO Poland 0 4 -/1 2 7 7 7 Dynamic information (e.g., system version, and phone Ehteraz Qatar 0 7 0/0 2 7 7 7 Dynamic model), possibly for increasing the estimation Trace Together Singapore 0 4 0/1 3 7 7 7 Static + MorChana Thailand 0 4 - 2 7 4 7 Static precision [Blub][ZWL 20] Hayat Eve Sigar Turkey 0 4 0 1 7 7 7 Static NHS COVID-19 App UK 0 4 1/1 2 7 7 7 Static 7 / 10 Introduction Challenges Discussion References Our Findings: 20 BLE-based Contact Tracing Apps App Name Type UUID Semantics S Random Monitoring Service COVIDSafe C B82AB3FC..