Researchers at Ohio State University have created a patch that could make apps that track contact tracing stronger against cyber threats.
The fix would help Google and Apple apps prevent a lurking threat that could compromise these types of contact-tracing apps, popularized by the COVID-19 pandemic.
A vulnerability in the framework used by the apps could allow cyber criminals to use attacks to make it look like a disease is spreading in an area, when it isn’t.
The attacks could take data a user-supplied and transmit it to other locations. That could be used to make it look like a user was exposed to someone with COVID, or it could make it appear an area is suffering from a super spreader event.
"Because the framework operates as a wireless protocol, anybody can inject some kind of fake exposure, and those false encounters could disrupt the public’s trust for the system," said study co-author Anish Arora, professor and chairperson of computer science and engineering at OSU.
That could lead to personal, social and economical costs.
An increase in false-positive notifications would undermine the public good behind contact-tracing apps, co-author Zhiqiang Lin, professor of computer science and engineering at Ohio State, said it could also have cascading economic and social consequences, like causing people to miss work or cancel daily personal activities and long-planned vacations.
This potential rises when tests are scarce or in economically disadvantaged countries that don’t have access to vaccines, Lin said.
The team created a patch for apps on the framework that would prevent these types of attacks.
"Our enhancement is privacy-preserving," Arora said.
The team was thanked by Google for finding and fixing the weakness, according to a press release.
The source code has been placed on GitHub, a platform that hosts code online, to help spread the solution.
"When future developers design similar protocols, we’re making sure they have the opportunity to consider our recommendations," Arora said.
