Cryptology ePrint Archive: Report 2020/1393

On the Effectiveness of Time Travel to Inject COVID-19 Alerts

Vincenzo Iovino and Serge Vaudenay and Martin Vuagnoux

Abstract: Digital contact tracing apps allow to alert people who have been in contact with people who may be contagious. The Apple/Google Exposure Notification (EN) system is based on Bluetooth proximity estimation. It has been adopted by many countries around the world. However, many possible attacks are known. The goal of some of them is to inject a false alert on someone else’s phone. This way, an adversary can eliminate a competitor in a sport event or a business in general. Political parties can also prevent people from voting.

In this report, we review several methods to inject false alerts. One of them requires to corrupt the clock of the smartphone of the victim. For that, we build a time-traveling machine to be able to remotely set up the clock on a smartphone and experiment our attack. We show how easy this can be done. We successfully tested several smartphones with either the Swiss or the Italian app (SwissCovid or Immuni).

Category / Keywords: applications / digital contact tracing, attacks, time corruption

Date: received 7 Nov 2020, last revised 10 Nov 2020

Contact author: viovino at unisa it, serge vaudenay@epfl ch, martin@vuagnoux com

Available format(s): PDF | BibTeX Citation

Note: Videos: https://vimeo.com/477605525 (teaser) and https://vimeo.com/476901083

Version: 20201110:172515 (All versions of this report)

Short URL: ia.cr/2020/1393