Replay (Far) Away: Exploiting and Fixing Google/Apple Exposure Notification Contact Tracing
Authors: Christopher Ellis (The Ohio State University), Haohuang Wen (The Ohio State University), Zhiqiang Lin (The Ohio State University), Anish Arora (The Ohio State University)
Volume: 2022
Issue: 4
Pages: 727–745
DOI: https://doi.org/10.56553/popets-2022-0130
Abstract: Digital contact tracing offers significant promise to help reduce the spread of SARS-CoV-2 and other viruses. Google and Apple joined together in 2020 to create the Google/Apple Exposure Notification (GAEN) framework to determine encounters with anonymous users later diagnosed COVID-19 positive. However, as GAEN lacks geospatial awareness, it is susceptible to geographically distributed replay attacks. Anonymous, low-cost, crowd-sourced replay attack networks deployed by malicious actors (or far away nation-state attackers) who utilize malicious (or innocent) users’ smartphones to capture and replay GAEN advertisements can drastically increase false-positive rates even in areas that otherwise exhibit low positivity rates. In response to this powerful replay attack, we introduce GAEN+ , a solution that enhances GAEN with geospatial awareness while maintaining user privacy, and demonstrate its ability to effectively prevent geographically distributed replay attacks.
Keywords: digital contact tracing, Google Apple Exposure Notification framework, Bluetooth Low Energy, geospatial index, H3, replay attack, Android, iOS, COVID-19
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.
