A Coronavirus Contact Tracing App Replay Attack with Estimated Amplification Factors

COVID-19 tracing apps making use of Bluetooth Low Energy (BLE) emit random-looking identifiers that can later be used to reveal previous proximity with a person who has tested positive. For privacy reasons these identifiers generally cannot be authenticated by recipients. This creates the potential for an already-known replay attack that we describe in further detail here. In such attacks the bad actor’s goal is to create additional false positive proximity warnings, either to disconcert the people receiving erroneous warnings, or to discredit the overall system. While we point out ways in which the attack could be partly mitigated, we conclude that a) preventing the attack could add significant complexity to the overall system and might not be feasible, b) that the impact of the attack increases as more people run the tracing app, and c) that the attack can be targeted against key staff in some scenarios so that targeting even with a small amplification factor may cause noticeable damage. We present a model for that amplification that implies we could see four or more false positives per hour for the real positive tests that result from use of a targeted testing station whilst it is being attacked.