{"title":"Quantifying the Risk of Wormhole Attacks on Bluetooth Contact Tracing","authors":"Stefan Czybik, Dan Arp, Konrad Rieck","doi":"10.1145/3508398.3511496","DOIUrl":null,"url":null,"abstract":"Digital contact tracing is a valuable tool for containing the spread of infectious diseases. During the COVID-19 pandemic, different systems have been developed that enable decentralized contact tracing on mobile devices. Several of the systems provide strong security and privacy guarantees. However, they also inherit weaknesses of the underlying wireless protocols. In particular, systems using Bluetooth LE beacons are vulnerable to so-called wormhole attacks, in which an attacker tunnels the beacons between different locations and creates false contacts between individuals. While this vulnerability has been widely discussed, the risk of successful attacks in practice is still largely unknown. In this paper, we quantitatively analyze the risk of wormhole attacks for the exposure notification system of Google and Apple, which builds on Bluetooth LE. To this end, we dissect and model the communication process of the system and identify factors contributing to the risk. Through a causal and empirical analysis, we find that the incidence and infectivity of the traced disease drive the risk of wormhole attacks, whereas technical aspects only play a minor role. Given the infectious delta variant of COVID-19, the risk of successful attacks thus increases and may pose a threat to digital contact tracing. As a remedy, we propose countermeasures that can be integrated into existing contact tracing systems and significantly reduce the success of wormhole attacks.","PeriodicalId":102306,"journal":{"name":"Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy","volume":"345 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-04-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3508398.3511496","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Digital contact tracing is a valuable tool for containing the spread of infectious diseases. During the COVID-19 pandemic, different systems have been developed that enable decentralized contact tracing on mobile devices. Several of the systems provide strong security and privacy guarantees. However, they also inherit weaknesses of the underlying wireless protocols. In particular, systems using Bluetooth LE beacons are vulnerable to so-called wormhole attacks, in which an attacker tunnels the beacons between different locations and creates false contacts between individuals. While this vulnerability has been widely discussed, the risk of successful attacks in practice is still largely unknown. In this paper, we quantitatively analyze the risk of wormhole attacks for the exposure notification system of Google and Apple, which builds on Bluetooth LE. To this end, we dissect and model the communication process of the system and identify factors contributing to the risk. Through a causal and empirical analysis, we find that the incidence and infectivity of the traced disease drive the risk of wormhole attacks, whereas technical aspects only play a minor role. Given the infectious delta variant of COVID-19, the risk of successful attacks thus increases and may pose a threat to digital contact tracing. As a remedy, we propose countermeasures that can be integrated into existing contact tracing systems and significantly reduce the success of wormhole attacks.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
