Smartphones in a Microwave: Formal and Experimental Feasibility Study on Fingerprinting the Corona-Warn-App
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security
Article No.: 151, Pages 1 - 7
Abstract
Contact Tracing Apps (CTAs) have been developed to contain the coronavirus disease 19 (COVID-19) spread. By design, such apps invade their users’ privacy by recording data about their health, contacts, and—partially—location. Many CTAs frequently broadcast pseudorandom numbers via Bluetooth to detect encounters. These numbers are changed regularly to prevent individual smartphones from being trivially trackable. However, the effectiveness of this procedure has been little studied.
We measured real smartphones and observed that the German Corona-Warn-App (CWA) exhibits a device-specific latency between two subsequent broadcasts. These timing differences provide a potential attack vector for fingerprinting smartphones by passively recording Bluetooth messages. This could conceivably lead to the tracking of users’ trajectories and, ultimately, the re-identification of users.
References
[1]
2020. Exposure notifications: Helping fight covid-19. https://google.com/covid19/exposurenotifications/
[2]
2020. Open-Source Project Corona-Warn-App. https://coronawarn.app/en/
[3]
Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 674–689. https://doi.org/10.1145/2660267.2660347
[4]
Florian Adamsky, Tatiana Retunskaia, Stefan Schiffner, Christian Köbel, and Thomas Engel. 2018. Poster: WLAN Device Fingerprinting Using Channel State Information (CSI). In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks (Stockholm, Sweden) (WiSec ’18). ACM, New York, NY, USA, 277–278. https://doi.org/10.1145/3212480.3226099
[5]
Apple and Google. 2020. Exposure Notification – Bluetooth Specification. https://blog.google/documents/70/Exposure_Notification_-_Bluetooth_Specification_v1.2.2.pdf/
[6]
Bluetooth Special Interest Group. 2021. Bluetooth Core Specification v5.3. https://www.bluetooth.com/specifications/specs/core-specification-5-3/
[7]
Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. In Proceedings of the Network and Distributed System Security Symposium (NDSS) 2017. https://doi.org/10.14722/ndss.2017.23152
[8]
Guillaume Celosia and Mathieu Cunche. 2019. Fingerprinting bluetooth-low-energy devices based on the generic attribute profile. In Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things. 24–31.
[9]
Claudia Díaz, Stefaan Seys, Joris Claessens, and Bart Preneel. 2003. Towards measuring anonymity. In Privacy Enhancing Technologies. Springer Berlin Heidelberg, 54–68. https://doi.org/10.1007/3-540-36467-6_5
[10]
Peter Eckersley. 2010. How Unique Is Your Web Browser?. In Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS 2010) (Berlin, Heidelberg). Springer Berlin Heidelberg, 1–18. https://doi.org/10.1007/978-3-642-14527-8_1
[11]
European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/eli/reg/2016/679/oj
[12]
Sergey Frolov and Eric Wustrow. 2019. The use of TLS in Censorship Circumvention. In Proceedings 2019 Network and Distributed System Security Symposium (NDSS). Internet Society. https://doi.org/10.14722/ndss.2019.23511
[13]
Xi He, Eric HY Lau, Peng Wu, Xilong Deng, Jian Wang, Xinxin Hao, Yiu Chung Lau, Jessica Y Wong, Yujuan Guan, Xinghua Tan, 2020. Temporal dynamics in viral shedding and transmissibility of COVID-19. Nature medicine 26, 5 (2020), 672–675. https://doi.org/10.1038/s41591-020-0869-5
[14]
Jingyu Hua, Mr Hongyi Sun, Mr Zhenyu Shen, Zhiyun Qian, and Dr Sheng Zhong. 2018. Accurate and Efficient Wireless Device Fingerprinting Using Channel State Information. In Proceedings of the IEEE International Conference on Computer Communications (INFOCOM). 9.
[15]
Jun Huang, Wahhab Albazrqaoe, and Guoliang Xing. 2014. BlueID: A practical system for Bluetooth device identification. In IEEE INFOCOM 2014-IEEE Conference on Computer Communications. IEEE, 2849–2857.
[16]
Martin Husák, Milan Čermák, Tomáš Jirsík, and Pavel Čeleda. 2016. HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting. 2016, 1 (2016), 6. https://doi.org/10.1186/s13635-016-0030-7
[17]
Suman Jana and Sneha Kumar Kasera. 2009. On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews. In Proceedings of the 14th ACM international conference on Mobile computing and networking. 104–115. https://doi.org/10.1109/TMC.2009.145
[18]
Tadayoshi Kohno, Andre Broido, and Kimberly C Claffy. 2005. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing 2, 2 (2005), 93–108. https://doi.org/10.1109/TDSC.2005.26
[19]
Pierre Laperdrix, Nataliia Bielova, Benoit Baudry, and Gildas Avoine. 2019. Browser Fingerprinting: A survey. (2019). arxiv:1905.01051http://arxiv.org/abs/1905.01051
[20]
Jonathan R Mayer. 2009. “Any person... a pamphleteer:” Internet Anonymity in the Age of Web 2.0. Bachelor Thesis.
[21]
Keaton Mowery and Hovav Shacham. 2012. Pixel Perfect: Fingerprinting Canvas in HTML5. In Proceedings of W2SP 2012. 12.
[22]
Andreas Pfitzmann and Marit Hansen. 2010. A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management.
[23]
Alexandra Prodan, Strahil Birov, Viktor von Wyl, and Wolfgang Ebbers. 2022. Digital Contact Tracing Study — Study on lessons learned, best practices and epidemiological impact of the common European approach on digital contact tracing to combat and exit the COVID-19 pandemic. European Commission.
[24]
Yoke Leen Sit. 2017. MIMO OFDM Radar-Communication System with Mutual Interference Cancellation. KIT Scientific Publishing.
[25]
Maria D Van Kerkhove, Michael J Ryan, and Tedros Adhanom Ghebreyesus. 2021. Preparing for “Disease X”. Science 374, 6566 (2021), 377.
[26]
Diwen Xue, Reethika Ramesh, Arham Jain, Michalis Kallitsis, J. Alex Halderman, Jedidiah R. Crandall, and Roya Ensafi. 2022. OpenVPN is Open to VPN Fingerprinting. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 483–500.
Index Terms
- Smartphones in a Microwave: Formal and Experimental Feasibility Study on Fingerprinting the Corona-Warn-App
Recommendations
Corona-warn-app: tracing the start of the official COVID-19 exposure notification app for germany
SIGCOMM '20: Proceedings of the SIGCOMM '20 Poster and Demo SessionsOn June 16, 2020, Germany launched an open-source smartphone contact tracing app ("Corona-Warn-App") to help tracing SARS-CoV-2 (coronavirus) infection chains. It uses a decentralized, privacy-preserving design based on the Exposure Notification APIs in ...
Towards Pseudonymous e-Commerce
The lack of privacy is one of the main reasons that limits trust in e-commerce. Current e-commerce practice enforces a customer to disclose her identity to the e-shop and the use of credit cards makes it straightforward for an e-shop to know the real ...
An algorithm for k-anonymity-based fingerprinting
IWDW'11: Proceedings of the 10th international conference on Digital-Forensics and WatermarkingThe anonymization of sensitive microdata (e.g. medical health records) is a widely-studied topic in the research community. A still unsolved problem is the limited informative value of anonymized microdata that often rules out further processing (e.g. ...
Comments
Information & Contributors
Information
Published In
August 2023
1440 pages
ISBN:9798400707728
DOI:10.1145/3600160
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 29 August 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ARES 2023
ARES 2023: The 18th International Conference on Availability, Reliability and Security
August 29 - September 1, 2023
Benevento, Italy
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 26Total Downloads
- Downloads (Last 12 months)24
- Downloads (Last 6 weeks)1
Reflects downloads up to 22 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format