Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
120 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Smartphones in a Microwave: Formal and Experimental Feasibility Study on Fingerprinting the Corona-Warn-App (2307.02931v1)

Published 6 Jul 2023 in cs.CR and cs.SI

Abstract: Contact Tracing Apps (CTAs) have been developed to contain the coronavirus disease 19 (COVID-19) spread. By design, such apps invade their users' privacy by recording data about their health, contacts, and partially location. Many CTAs frequently broadcast pseudorandom numbers via Bluetooth to detect encounters. These numbers are changed regularly to prevent individual smartphones from being trivially trackable. However, the effectiveness of this procedure has been little studied. We measured real smartphones and observed that the German Corona-Warn-App (CWA) exhibits a device-specific latency between two subsequent broadcasts. These timing differences provide a potential attack vector for fingerprinting smartphones by passively recording Bluetooth messages. This could conceivably lead to the tracking of users' trajectories and, ultimately, the re-identification of users.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (26)
  1. 2020. Exposure notifications: Helping fight covid-19. https://google.com/covid19/exposurenotifications/
  2. 2020. Open-Source Project Corona-Warn-App. https://coronawarn.app/en/
  3. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 674–689. https://doi.org/10.1145/2660267.2660347
  4. Poster: WLAN Device Fingerprinting Using Channel State Information (CSI). In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks (Stockholm, Sweden) (WiSec ’18). ACM, New York, NY, USA, 277–278. https://doi.org/10.1145/3212480.3226099
  5. Apple and Google. 2020. Exposure Notification – Bluetooth Specification. https://blog.google/documents/70/Exposure_Notification_-_Bluetooth_Specification_v1.2.2.pdf/
  6. Bluetooth Special Interest Group. 2021. Bluetooth Core Specification v5.3. https://www.bluetooth.com/specifications/specs/core-specification-5-3/
  7. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. In Proceedings of the Network and Distributed System Security Symposium (NDSS) 2017. https://doi.org/10.14722/ndss.2017.23152
  8. Guillaume Celosia and Mathieu Cunche. 2019. Fingerprinting bluetooth-low-energy devices based on the generic attribute profile. In Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things. 24–31.
  9. Towards measuring anonymity. In Privacy Enhancing Technologies. Springer Berlin Heidelberg, 54–68. https://doi.org/10.1007/3-540-36467-6_5
  10. Peter Eckersley. 2010. How Unique Is Your Web Browser?. In Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS 2010) (Berlin, Heidelberg). Springer Berlin Heidelberg, 1–18. https://doi.org/10.1007/978-3-642-14527-8_1
  11. European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/eli/reg/2016/679/oj
  12. Sergey Frolov and Eric Wustrow. 2019. The use of TLS in Censorship Circumvention. In Proceedings 2019 Network and Distributed System Security Symposium (NDSS). Internet Society. https://doi.org/10.14722/ndss.2019.23511
  13. Temporal dynamics in viral shedding and transmissibility of COVID-19. Nature medicine 26, 5 (2020), 672–675. https://doi.org/10.1038/s41591-020-0869-5
  14. Accurate and Efficient Wireless Device Fingerprinting Using Channel State Information. In Proceedings of the IEEE International Conference on Computer Communications (INFOCOM). 9.
  15. BlueID: A practical system for Bluetooth device identification. In IEEE INFOCOM 2014-IEEE Conference on Computer Communications. IEEE, 2849–2857.
  16. HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting. 2016, 1 (2016), 6. https://doi.org/10.1186/s13635-016-0030-7
  17. Suman Jana and Sneha Kumar Kasera. 2009. On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews. In Proceedings of the 14th ACM international conference on Mobile computing and networking. 104–115. https://doi.org/10.1109/TMC.2009.145
  18. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing 2, 2 (2005), 93–108. https://doi.org/10.1109/TDSC.2005.26
  19. Browser Fingerprinting: A survey. (2019). arXiv:1905.01051 http://arxiv.org/abs/1905.01051
  20. Jonathan R Mayer. 2009. “Any person… a pamphleteer:” Internet Anonymity in the Age of Web 2.0. Bachelor Thesis.
  21. Keaton Mowery and Hovav Shacham. 2012. Pixel Perfect: Fingerprinting Canvas in HTML5. In Proceedings of W2SP 2012. 12.
  22. Andreas Pfitzmann and Marit Hansen. 2010. A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management.
  23. Digital Contact Tracing Study — Study on lessons learned, best practices and epidemiological impact of the common European approach on digital contact tracing to combat and exit the COVID-19 pandemic. European Commission.
  24. Yoke Leen Sit. 2017. MIMO OFDM Radar-Communication System with Mutual Interference Cancellation. KIT Scientific Publishing.
  25. Preparing for “Disease X”. Science 374, 6566 (2021), 377.
  26. OpenVPN is Open to VPN Fingerprinting. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 483–500.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now