COLUMBUS, Ohio (WCMH) – Researchers at Ohio State University said Thursday they’ve found a “major flaw” in smartphone apps used to alert people if they’ve been exposed to COVID-19, but there is a fix.
Ohio itself does not have its own contact tracing app, but several countries and nearly half of the United States have chosen to make the apps available to their residents and Ohioans who find themselves. go there. Downloadable from the Apple Store and Google Play, they are all based on the teamwork of the two software behemoths. The namesake duo co-created the Google/Apple Exposure Notification Framework, which forms an international network of phones to help determine if someone has been exposed to a positive case of COVID-19.
However, while GAEN runs in the background of a smartphone and broadcasts contract tracking phone data, it also attracts the attention of hackers, according to OSU researchers. In a study the team presented on July 12 at a privacy technology conference in Australia, they proved that hackers could create fake “digital superspreaders” from a COVID-19 test. positive.
“Hackers or nation-state actors could potentially take advantage of an honest user and replay their contact tracing data anywhere in the world,” said study co-author Anish Arora. . “Because the framework operates as a wireless protocol, anyone can inject some sort of false exposure, and these false encounters could disrupt public trust in the system.”
The hacking process – known as a replay attack – involves a hacker entering someone’s contact tracing data on their phone, copying it, and then repeatedly transmitting it to another location. It would only take the data of a single positive COVID-19 test to be replayed multiple times across multiple cities for false mass exposure, which means people would have to miss work, according to the OSU study. cancel daily activities or even vacations.
An OSU spokeswoman gave a local example:
“If someone in Columbus with COVID-19 were to have their contact tracing beacon data captured by a third party, their information could be transmitted to one or more other cities thousands of miles away and rebroadcast to others nearby. . If that person were to test positive for COVID-19, a person who actually had no contact with an infected person could be alerted that they have.
Tatyana Woodall, Ohio State News
However, the researchers didn’t just present the problem.
“Both companies have produced a product that can do a lot of good in the world,” Arora said. “We just want to make GAEN much more difficult to exploit.”
The OSU team also developed an updated version of Google and Apple’s network, which Arora says relies on coarse location data from Wi-Fi hotspots and towers. cellular data instead of precise GPS data, to help anonymize contact tracing data. The new version, dubbed GAEN+, earned researchers the thanks of Google at the conference.
OSU did not say whether Google and Apple had implemented the researchers’ fix for the framework used in several state and country contact tracing apps as of Thursday. However, Arora and co-researchers Zhigiang Lin, Christopher Ellis, and Haohuang Wen have also made their fixed version publicly available on the coding website GitHub.
Click here to read Arora, Lin, Ellis and Wen’s full study on the GAEN vulnerability.
Comments are closed.