Papers
Topics
Authors
Recent
Search
2000 character limit reached

Smartphones in a Microwave: Formal and Experimental Feasibility Study on Fingerprinting the Corona-Warn-App

Published 6 Jul 2023 in cs.CR and cs.SI | (2307.02931v1)

Abstract: Contact Tracing Apps (CTAs) have been developed to contain the coronavirus disease 19 (COVID-19) spread. By design, such apps invade their users' privacy by recording data about their health, contacts, and partially location. Many CTAs frequently broadcast pseudorandom numbers via Bluetooth to detect encounters. These numbers are changed regularly to prevent individual smartphones from being trivially trackable. However, the effectiveness of this procedure has been little studied. We measured real smartphones and observed that the German Corona-Warn-App (CWA) exhibits a device-specific latency between two subsequent broadcasts. These timing differences provide a potential attack vector for fingerprinting smartphones by passively recording Bluetooth messages. This could conceivably lead to the tracking of users' trajectories and, ultimately, the re-identification of users.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (26)
  1. 2020. Exposure notifications: Helping fight covid-19. https://google.com/covid19/exposurenotifications/
  2. 2020. Open-Source Project Corona-Warn-App. https://coronawarn.app/en/
  3. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 674–689. https://doi.org/10.1145/2660267.2660347
  4. Poster: WLAN Device Fingerprinting Using Channel State Information (CSI). In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks (Stockholm, Sweden) (WiSec ’18). ACM, New York, NY, USA, 277–278. https://doi.org/10.1145/3212480.3226099
  5. Apple and Google. 2020. Exposure Notification – Bluetooth Specification. https://blog.google/documents/70/Exposure_Notification_-_Bluetooth_Specification_v1.2.2.pdf/
  6. Bluetooth Special Interest Group. 2021. Bluetooth Core Specification v5.3. https://www.bluetooth.com/specifications/specs/core-specification-5-3/
  7. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. In Proceedings of the Network and Distributed System Security Symposium (NDSS) 2017. https://doi.org/10.14722/ndss.2017.23152
  8. Guillaume Celosia and Mathieu Cunche. 2019. Fingerprinting bluetooth-low-energy devices based on the generic attribute profile. In Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things. 24–31.
  9. Towards measuring anonymity. In Privacy Enhancing Technologies. Springer Berlin Heidelberg, 54–68. https://doi.org/10.1007/3-540-36467-6_5
  10. Peter Eckersley. 2010. How Unique Is Your Web Browser?. In Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS 2010) (Berlin, Heidelberg). Springer Berlin Heidelberg, 1–18. https://doi.org/10.1007/978-3-642-14527-8_1
  11. European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/eli/reg/2016/679/oj
  12. Sergey Frolov and Eric Wustrow. 2019. The use of TLS in Censorship Circumvention. In Proceedings 2019 Network and Distributed System Security Symposium (NDSS). Internet Society. https://doi.org/10.14722/ndss.2019.23511
  13. Temporal dynamics in viral shedding and transmissibility of COVID-19. Nature medicine 26, 5 (2020), 672–675. https://doi.org/10.1038/s41591-020-0869-5
  14. Accurate and Efficient Wireless Device Fingerprinting Using Channel State Information. In Proceedings of the IEEE International Conference on Computer Communications (INFOCOM). 9.
  15. BlueID: A practical system for Bluetooth device identification. In IEEE INFOCOM 2014-IEEE Conference on Computer Communications. IEEE, 2849–2857.
  16. HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting. 2016, 1 (2016), 6. https://doi.org/10.1186/s13635-016-0030-7
  17. Suman Jana and Sneha Kumar Kasera. 2009. On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews. In Proceedings of the 14th ACM international conference on Mobile computing and networking. 104–115. https://doi.org/10.1109/TMC.2009.145
  18. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing 2, 2 (2005), 93–108. https://doi.org/10.1109/TDSC.2005.26
  19. Browser Fingerprinting: A survey. (2019). arXiv:1905.01051 http://arxiv.org/abs/1905.01051
  20. Jonathan R Mayer. 2009. “Any person… a pamphleteer:” Internet Anonymity in the Age of Web 2.0. Bachelor Thesis.
  21. Keaton Mowery and Hovav Shacham. 2012. Pixel Perfect: Fingerprinting Canvas in HTML5. In Proceedings of W2SP 2012. 12.
  22. Andreas Pfitzmann and Marit Hansen. 2010. A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management.
  23. Digital Contact Tracing Study — Study on lessons learned, best practices and epidemiological impact of the common European approach on digital contact tracing to combat and exit the COVID-19 pandemic. European Commission.
  24. Yoke Leen Sit. 2017. MIMO OFDM Radar-Communication System with Mutual Interference Cancellation. KIT Scientific Publishing.
  25. Preparing for “Disease X”. Science 374, 6566 (2021), 377.
  26. OpenVPN is Open to VPN Fingerprinting. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 483–500.

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up