Researchers Serge Vaudenay and Martin Vuagnoux, from the Federal Polytechnic School of Lausanne (EPFL) have just revealed a major flaw in Apple and Google’s contact tracing technology, namely the programming interface “Exposure Notifications”. This vulnerability allows, by a simple passive collection of Bluetooth messages in an area, to follow a person.
In theory, this risk should not exist, as the frames broadcast by smartphones through the Apple and Google system contain aliases and Bluetooth MAC addresses that are randomly generated and changed every 15 minutes. But in reality, this renewal is not always synchronous. Sometimes the MAC address is changed before the nickname, or vice versa. This trivial offset then makes it possible to associate the new values with the old ones, and therefore to carry out monitoring.
The researchers named this attack “Small thumb”. Indeed, the intermediate frames, which contain both an old value and a new one, somewhat play the role of small white pebbles in this child’s tale. By collecting them, they make it possible to never lose track when renewing identifiers.
In a demonstration video, the researchers explain having tested 8 smartphones compatible with the SwissCovid application, which uses the “Exposure Notifications” programming interface. The result: five of them were vulnerable.
The researchers were also able to exploit this flaw in other applications using this same technology, such as Corona-Warn in Germany, StoppCorona in Austria or Immuni in Italy. It is likely that all applications based on “Exposure Notifications” are vulnerable. The French StopCovid application is obviously not affected, as it does not rely on the Apple and Google system.
The ball is now in the court of these two computer giants who must provide a patch. Work the researchers couldn’t do because the API is not fully open source. Which is a shame.
Source : EPFL