ABSTRACT
Contact Tracing Apps (CTAs) have been developed to contain the coronavirus disease 19 (COVID-19) spread. By design, such apps invade their users’ privacy by recording data about their health, contacts, and—partially—location. Many CTAs frequently broadcast pseudorandom numbers via Bluetooth to detect encounters. These numbers are changed regularly to prevent individual smartphones from being trivially trackable. However, the effectiveness of this procedure has been little studied.
We measured real smartphones and observed that the German Corona-Warn-App (CWA) exhibits a device-specific latency between two subsequent broadcasts. These timing differences provide a potential attack vector for fingerprinting smartphones by passively recording Bluetooth messages. This could conceivably lead to the tracking of users’ trajectories and, ultimately, the re-identification of users.
- 2020. Exposure notifications: Helping fight covid-19. https://google.com/covid19/exposurenotifications/Google Scholar
- 2020. Open-Source Project Corona-Warn-App. https://coronawarn.app/en/Google Scholar
- Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 674–689. https://doi.org/10.1145/2660267.2660347Google ScholarDigital Library
- Florian Adamsky, Tatiana Retunskaia, Stefan Schiffner, Christian Köbel, and Thomas Engel. 2018. Poster: WLAN Device Fingerprinting Using Channel State Information (CSI). In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks (Stockholm, Sweden) (WiSec ’18). ACM, New York, NY, USA, 277–278. https://doi.org/10.1145/3212480.3226099Google ScholarDigital Library
- Apple and Google. 2020. Exposure Notification – Bluetooth Specification. https://blog.google/documents/70/Exposure_Notification_-_Bluetooth_Specification_v1.2.2.pdf/Google Scholar
- Bluetooth Special Interest Group. 2021. Bluetooth Core Specification v5.3. https://www.bluetooth.com/specifications/specs/core-specification-5-3/Google Scholar
- Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. In Proceedings of the Network and Distributed System Security Symposium (NDSS) 2017. https://doi.org/10.14722/ndss.2017.23152Google ScholarCross Ref
- Guillaume Celosia and Mathieu Cunche. 2019. Fingerprinting bluetooth-low-energy devices based on the generic attribute profile. In Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things. 24–31.Google ScholarDigital Library
- Claudia Díaz, Stefaan Seys, Joris Claessens, and Bart Preneel. 2003. Towards measuring anonymity. In Privacy Enhancing Technologies. Springer Berlin Heidelberg, 54–68. https://doi.org/10.1007/3-540-36467-6_5Google ScholarCross Ref
- Peter Eckersley. 2010. How Unique Is Your Web Browser?. In Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS 2010) (Berlin, Heidelberg). Springer Berlin Heidelberg, 1–18. https://doi.org/10.1007/978-3-642-14527-8_1Google ScholarCross Ref
- European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/eli/reg/2016/679/ojGoogle Scholar
- Sergey Frolov and Eric Wustrow. 2019. The use of TLS in Censorship Circumvention. In Proceedings 2019 Network and Distributed System Security Symposium (NDSS). Internet Society. https://doi.org/10.14722/ndss.2019.23511Google ScholarCross Ref
- Xi He, Eric HY Lau, Peng Wu, Xilong Deng, Jian Wang, Xinxin Hao, Yiu Chung Lau, Jessica Y Wong, Yujuan Guan, Xinghua Tan, 2020. Temporal dynamics in viral shedding and transmissibility of COVID-19. Nature medicine 26, 5 (2020), 672–675. https://doi.org/10.1038/s41591-020-0869-5Google ScholarCross Ref
- Jingyu Hua, Mr Hongyi Sun, Mr Zhenyu Shen, Zhiyun Qian, and Dr Sheng Zhong. 2018. Accurate and Efficient Wireless Device Fingerprinting Using Channel State Information. In Proceedings of the IEEE International Conference on Computer Communications (INFOCOM). 9.Google ScholarDigital Library
- Jun Huang, Wahhab Albazrqaoe, and Guoliang Xing. 2014. BlueID: A practical system for Bluetooth device identification. In IEEE INFOCOM 2014-IEEE Conference on Computer Communications. IEEE, 2849–2857.Google ScholarCross Ref
- Martin Husák, Milan Čermák, Tomáš Jirsík, and Pavel Čeleda. 2016. HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting. 2016, 1 (2016), 6. https://doi.org/10.1186/s13635-016-0030-7Google ScholarDigital Library
- Suman Jana and Sneha Kumar Kasera. 2009. On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews. In Proceedings of the 14th ACM international conference on Mobile computing and networking. 104–115. https://doi.org/10.1109/TMC.2009.145Google ScholarDigital Library
- Tadayoshi Kohno, Andre Broido, and Kimberly C Claffy. 2005. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing 2, 2 (2005), 93–108. https://doi.org/10.1109/TDSC.2005.26Google ScholarDigital Library
- Pierre Laperdrix, Nataliia Bielova, Benoit Baudry, and Gildas Avoine. 2019. Browser Fingerprinting: A survey. (2019). arxiv:1905.01051http://arxiv.org/abs/1905.01051Google Scholar
- Jonathan R Mayer. 2009. “Any person... a pamphleteer:” Internet Anonymity in the Age of Web 2.0. Bachelor Thesis.Google Scholar
- Keaton Mowery and Hovav Shacham. 2012. Pixel Perfect: Fingerprinting Canvas in HTML5. In Proceedings of W2SP 2012. 12.Google Scholar
- Andreas Pfitzmann and Marit Hansen. 2010. A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management.Google Scholar
- Alexandra Prodan, Strahil Birov, Viktor von Wyl, and Wolfgang Ebbers. 2022. Digital Contact Tracing Study — Study on lessons learned, best practices and epidemiological impact of the common European approach on digital contact tracing to combat and exit the COVID-19 pandemic. European Commission.Google Scholar
- Yoke Leen Sit. 2017. MIMO OFDM Radar-Communication System with Mutual Interference Cancellation. KIT Scientific Publishing.Google Scholar
- Maria D Van Kerkhove, Michael J Ryan, and Tedros Adhanom Ghebreyesus. 2021. Preparing for “Disease X”. Science 374, 6566 (2021), 377.Google Scholar
- Diwen Xue, Reethika Ramesh, Arham Jain, Michalis Kallitsis, J. Alex Halderman, Jedidiah R. Crandall, and Roya Ensafi. 2022. OpenVPN is Open to VPN Fingerprinting. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 483–500.Google Scholar
Index Terms
- Smartphones in a Microwave: Formal and Experimental Feasibility Study on Fingerprinting the Corona-Warn-App
Recommendations
Towards Pseudonymous e-Commerce
The lack of privacy is one of the main reasons that limits trust in e-commerce. Current e-commerce practice enforces a customer to disclose her identity to the e-shop and the use of credit cards makes it straightforward for an e-shop to know the real ...
An algorithm for k-anonymity-based fingerprinting
IWDW'11: Proceedings of the 10th international conference on Digital-Forensics and WatermarkingThe anonymization of sensitive microdata (e.g. medical health records) is a widely-studied topic in the research community. A still unsolved problem is the limited informative value of anonymized microdata that often rules out further processing (e.g. ...
Towards detecting device fingerprinting on iOS with API function hooking
EICC '23: Proceedings of the 2023 European Interdisciplinary Cybersecurity ConferenceDevice fingerprinting is a technique that got popular at the end of the 90s by websites, to identify and track users. One of the biggest drivers behind such practices are advertising companies to identify users interests to personalize ads. From a user’...
Comments