Paper 2020/1150

Terrorist Attacks for Fake Exposure Notifications in Contact Tracing Systems

Gennaro Avitabile, Daniele Friolo, and Ivan Visconti


In this work we show that an adversary can attack the integrity of contact tracing systems based on Google-Apple Exposure Notications (GAEN) by leveraging blockchain technology. We show that through smart contracts there can be an on-line market where infected individuals interested in monetizing their status can upload to the servers of the GAEN-based systems some keys (i.e., TEKs) chosen by a non-infected adversary. In particular, the infected individual can anonymously and digitally trade the upload of TEKs without a mediator and without running risks of being cheated. This vulnerability can therefore be exploited to generate large-scale fake exposure notifications of at-risk contacts with serious consequences (e.g., jeopardizing parts of the health system, affecting results of elections, imposing the closure of schools, hotels or factories). As main contribution, we design a smart contract with two collateral deposits that works, in general, on GAEN-based systems. We then also suggest the design of a more sophisticated smart contract, using DECO, that could be used to attack in a different way GAEN-based systems (i.e., this second smart contract can succeed even in case GAEN systems are repaired making ineffective the first smart contract). Our work shows how to realize with GAEN-based systems (in particular with Immuni and SwissCovid), the terrorist attack to decentralized contact tracing systems envisioned by Vaudenay.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. MINOR revision.Applied Cryptography and Network Security (ACNS) 2021
cryptographic protocolsblockchainsmart contractsattackscontact tracing
Contact author(s)
gavitabile @ unisa it
dfriolo @ unisa it
visconti @ unisa it
2021-06-15: last of 3 revisions
2020-09-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Gennaro Avitabile and Daniele Friolo and Ivan Visconti},
      title = {Terrorist Attacks for Fake Exposure Notifications in Contact Tracing Systems},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1150},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.