Replay (Far) Away: Exploiting and Fixing Google/Apple Exposure Notification Contact Tracing

Authors: Christopher Ellis (The Ohio State University), Haohuang Wen (The Ohio State University), Zhiqiang Lin (The Ohio State University), Anish Arora (The Ohio State University)

Volume: 2022
Issue: 4
Pages: 727–745


Download PDF

Abstract: Digital contact tracing offers significant promise to help reduce the spread of SARS-CoV-2 and other viruses. Google and Apple joined together in 2020 to create the Google/Apple Exposure Notification (GAEN) framework to determine encounters with anonymous users later diagnosed COVID-19 positive. However, as GAEN lacks geospatial awareness, it is susceptible to geographically distributed replay attacks. Anonymous, low-cost, crowd-sourced replay attack networks deployed by malicious actors (or far away nation-state attackers) who utilize malicious (or innocent) users’ smartphones to capture and replay GAEN advertisements can drastically increase false-positive rates even in areas that otherwise exhibit low positivity rates. In response to this powerful replay attack, we introduce GAEN+ , a solution that enhances GAEN with geospatial awareness while maintaining user privacy, and demonstrate its ability to effectively prevent geographically distributed replay attacks.

Keywords: digital contact tracing, Google Apple Exposure Notification framework, Bluetooth Low Energy, geospatial index, H3, replay attack, Android, iOS, COVID-19

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.