Paper 2020/428
Security Analysis of the COVID-19 Contact Tracing Specifications by Apple Inc. and Google Inc.
Yaron Gvili
Abstract
In a joint effort to fight the COVID-19 pandemic, Apple Inc. and Google Inc. recently partnered to develop a contact tracing technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design. The partnership announcement included technical specifications of the planned technology, which has great potential for widespread adoption due to the global reach of the two companies. In this report, we provide a security analysis of these specifications. We show that the current specifications may introduce significant risks to society and propose mitigation strategies for these risks that do not require major changes to the technology and are easy to adopt. Surprisingly, our mitigation strategies do not use challenge-response protocols nor a public key infrastructure, often used to thwart common attacks. Our analysis focuses mostly on system security considerations yet also includes information security considerations. We leave out of scope a discussion on how important or effective the technology is in fighting the pandemic.
Metadata
- Available format(s)
- Category
- Applications
- Publication info
- Preprint. MINOR revision.
- Keywords
- COVID-19Contact TracingSystem SecurityInformation Security
- Contact author(s)
- cryptomniumllc @ gmail com
- History
- 2020-09-26: last of 3 revisions
- 2020-04-15: received
- See all versions
- Short URL
- https://ia.cr/2020/428
- License
-
CC BY