Paper 2020/428

Security Analysis of the COVID-19 Contact Tracing Specifications by Apple Inc. and Google Inc.

Yaron Gvili

Abstract

In a joint effort to fight the COVID-19 pandemic, Apple Inc. and Google Inc. recently partnered to develop a contact tracing technology, inspired by the DP-3T and TCN protocols, to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design. The partnership announcement included technical specifications of the planned technology, which has great potential for widespread adoption due to the global reach of the two companies. At the same time, the anonymous distributed setting for contact tracing as well as other aspects of the specifications create opportunities for attackers to mount common attacks on the technology. In this work, we provide a security analysis of these specifications, the initial version of which was communicated early on to Apple Inc. in April this year, soon after announcement of the specifications. We show that the current specifications may introduce significant risks to society due to the common attacks and propose novel mitigation strategies for these risks that do not require major changes to the technology and are easy to adopt. To the best of our knowledge, ours is the first contact tracing proposal to mitigate the risks of all these common attacks in the anonymous distributed setting without introducing architectural changes. Our analysis focuses mostly on system security considerations, which have not been well covered previously, yet also includes novel information security considerations. We leave out of scope a discussion on how important or effective the technology is in fighting the pandemic.