In brief

  • A privacy exploit was discovered in apps using the Google/Apple COVID-19 tracing framework.
  • The attack can be used to “continuously trace” users via their smartphones.
  • The Google/Apple framework is proprietary and closed-source.

In April, tech giants Apple and Google teamed up to put their considerable combined resources toward developing a COVID-19 tracing solution. For those who opt in, the solution automatically uses people’s own smartphones to keep tabs on their proximity to other phones and alerts users if someone they were near has a confirmed diagnosis.

However, an exploit has been discovered in the closed-source project that might stoke fears about Apple and Google phones automatically tracking a person’s proximity to others on a constant basis.

Serge Vaudenay (EPFL) and Martin Vuagnoux (base23) posted a video to Vimeo this week (via Hackaday) that demonstrates the exploit, which they discovered in Switzerland’s SwissCovid tracing app, which is based on the code provided by the Apple/Google framework.

The “Little Thumb” attack is named after the classic French story (similar to Hansel and Gretel). in which a boy leaves pebbles to mark his trail. That’s because the creators of the video discovered that the Bluetooth LE-based system leaves what they call little pebbles of data, which can be used to trace someone’s movements and potentially identify them.

Essentially, they found Bluetooth LE’s numeric address and the framework’s own rolling proximity ID do not necessarily update at the same time, leaving little windows in which the Bluetooth address corresponds with the old ID—a pebble to trace. They were able to eavesdrop on messages from up to 50 meters using a “cheap and basic antenna,” they wrote.

“This is real, passive Bluetooth capture of SwissCovid. An adversary is able to correlate the previous and new BR_ADDR and RPI thanks to the ‘pebble’ message in the middle,” reads the text in the video. “Thus, the adversary can continuously trace the user of the SwissCovid app. This should not happen for more than 15 minutes.”

While they first discovered the issue in the SwissCovid app, they confirmed the exploit worked across other apps built using the Apple/Google framework: Italy’s Immuni, Germany’s Corona-Warn, and Austria’s Stopp Corona. With SwissCovid, the attack worked on five out of the eight compatible phones they tested.

The SwissCovid app is open-source, but the Google Apple Exposure Notification (GAEN) framework behind it and many other such apps is closed-source—and there’s no way for outsiders to patch it. The video notes that although Apple and Google released an unfinished snippet of code for the framework, it is not a truly open-source project, which means the community cannot audit the code and address potential concerns like these.

Some developers have tried to use blockchain to secure COVID-19 symptom tracing and tracking apps. There have been smaller-scale apps made to try and help users, such as CoronaTracker, and California lawmakers have proposed a statewide blockchain-driven tracing system.

However, both the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) have come out against a blockchain-based system, citing potential privacy issues. “In short, this bill is a blockchain solution in search of a problem, and COVID-19 is a problem that will not be so easily solved,” said EFF senior staff attorney Adam Schwartz in August.