"Google/Apple's Contact-Tracing Apps Susceptible to Digital Attacks"

Scientists and health officials have relied on COVID-19 contact-tracing technologies to help manage the virus's spread. However, there is a major flaw in the framework used by many of these mobile apps that attackers could exploit to increase false positive notifications. Apps that use the Google/Apple Exposure Notification framework (GAEN) are widely available in many countries and run more efficiently in the background of the phone. Ohio State University researchers have discovered the vulnerability of these apps to geographically based replay attacks. These attacks occur when a third party captures a user's broadcasted contact-tracing phone data from one area and abuses it by repeatedly transmitting it to another far-away location. Replay attacks can be used to exploit electronic flaws in order to gain access to digital networks, harm mobile devices, or poison data sets with false information. An honest user could be exploited by hackers or nation-state actors, who would then be able to replay their contact-tracing data anywhere in the world. For example, if someone with COVID-19 in Columbus had their contact-tracing beacon data captured by a third party, their information could be transmitted to one or more other cities thousands of miles away and re-broadcasted to others nearby. If this person is found to be positive for COVID-19, someone who has not had any contact with an infected person may be notified. Therefore, attackers could create digital superspreaders by initiating a process that shares clusters of false exposure beacons in various areas. Since the framework operates as a wireless protocol, anyone can inject fake exposure, and those false encounters could damage public trust in the system. The researchers were able to come up with a patch for this flaw. They created a prototype called GAEN+, based on Google and Apple's original framework. They ran the prototype through a series of experiments to test its defenses against malicious replay attacks after implementing it on an Android device. When compared to Google and Apple's framework, GAEN+ effectively prevents false positives while maintaining user privacy. This article continues to discuss the privacy flaw in Google/Apple's contact-tracing apps and the fix developed by the team to address it.

OSU reports "Google/Apple's Contact-Tracing Apps Susceptible to Digital Attacks"

Submitted by Anonymous on