COLUMBUS, Ohio (WCMH) – Researchers at Ohio State University said Thursday that they’ve found a “major flaw” in smartphone apps used to alert people if they’ve been exposed to COVID-19, but there is a fix.
Ohio itself does not have its own contact-tracing app, but multiple countries and nearly half of the United States did opt into making apps available for their locals and Ohioans who travel there. Downloadable on the Apple Store and Google Play, they all rely on a team effort by the two software behemoths. The namesake duo collaboratively created the Google/Apple Exposure Notification framework, which forms an international network of phones to help determine if someone has been exposed to a positive COVID-19 case.
However, while GAEN runs in a smartphone’s background and broadcasts contract-tracing phone data, it also invites the attention of hackers, according to the OSU researchers. In a study the team presented July 12 at a privacy technology conference in Australia, they proved that hackers could create fake “digital superspreaders” out of one positive COVID-19 test.
“Hackers or nation-state actors could potentially take advantage of an honest user and replay their contact-tracing data anywhere in the world,” said study co-author Anish Arora. “Because the framework operates as a wireless protocol, anybody can inject some kind of fake exposure, and those false encounters could disrupt the public’s trust for the system.”
The hijacking process — known as a replay attack — involves a hacker grabbing one person’s contact-tracing data on their phone, copying it and then repeatedly transmitting it to another location. According to the OSU study, it would only take data from a single positive COVID-19 test to be replayed multiple times in multiple cities for fake mass exposure, meaning people would have to miss work, cancel daily activities or even vacations.
An OSU spokeswoman gave a local example:
“If someone in Columbus with COVID-19 were to have their contact-tracing beacon data captured by a third party, their information could be transmitted to one or multiple other cities thousands of miles away, and re-broadcasted to others nearby. If this person were to be diagnosed positive for COVID-19, someone who in reality hasn’t had any contact with an infected person could be alerted that they have.”
Tatyana Woodall, Ohio State News
The researchers didn’t just present the problem, however.
“Both companies made a product that can do a lot of good in the world,” Arora said. “We just want to make GAEN much harder to exploit.”
The OSU team also developed an updated version of Google and Apple’s network, which Arora said relies on coarse location data from Wi-Fi access points and cell towers instead of precise GPS data, to help with making contact-tracing data anonymous. The new version, dubbed GAEN+, earned the researchers thanks from Google at the conference.
OSU did not say if Google and Apple had implemented the researchers’ fix for the framework used in multiple state and country contact-tracing apps as of Thursday. However, Arora and co-researchers Zhigiang Lin, Christopher Ellis and Haohuang Wen also made their fixed version publicly available on the coding website GitHub.
Click here to read Arora, Lin, Ellis and Wen’s full study about the GAEN vulnerability.
