Radar COVID Vulnerability could allow attackers to fake identities of peoples in application

The official COVID-19 exposure warning software for Spain is Radar COVID. Identification and de-anonymization of COVID-19 positive users who upload Radar COVID TEKs to the Radar COVID registry is feasible in the impacted versions of Radar COVID. This vulnerability causes COVID-19 positive users to be detected and de-anonymized by using Radar COVID.

Friday, November 13, 2020, 20:19 GMT 

The vulnerability is triggered by the fact that only COVID-19 positive users make Radar COVID connections to the server (uploading TEKs to the backend). Therefore any on-path observer will recognise the users have had a positive test with the ability to track traffic between the app and the server.

The mobile network operator (MNO) can be such an enemy if the link is made by a mobile network, the Internet Service Provider (ISP) if the connection is made via the Internet (e.g. a home network), the VPN provider used by the customer, the local network operator in the case of business networks, or any eavesdropper with connections to the same network (WiFi or Ethernet) as the user

The attacker can de-anonymize the consumer as well. The adversary has to correlate Radar COVID traffic to other recognizable information from the victim for this additional stage to proceed.

This may be done by associating Radar COVID traffic with other user-generated flows containing simple identifiers (e.g., HTTP cookies or other mobile flows that transmit specific identifiers such as IMEI or AAID without encryption) with a link to a contract with the name of the victim. For instance, the Internet Service Provider or the MNO can execute the former. Any on-path opponent, such as the network operator or even the cloud provider hosting more than one service accessed by the perpetrator, will perform the latter.

The more removed the competitor is from either the victim (the client) or the end-point (the server), the less likely it is to have access to re-identification details for the opponent.

Through the insertion of dummy traffic from the framework to the server, the risk has been mitigated.

Both users produce dummy traffic regardless of whether they are positive for COVID-19 or not. The problem was solved in iOS version 1.0.8 (uniform distribution), 1.1.0 (exponential distribution), version 1.0.7 of Android (uniform distribution), 1.1.0 (exponential distribution), version 1.1.2 of Backend-RELEASE.1.2. See the GitHub Security Alert referred to for more detail.

REFERENCES:

CONFIRM:github.com/RadarCOVID/radar-covid-backend-dp3t-server/security/advisories/GHSA-w7jx-37×3-w2jx
github.com/RadarCOVID/radar-covid-backend-dp3t-server/security/advisories/GHSA-w7jx-37×3-w2jx
github.com/DP-3T/documents/blob/master/DP3T%20-%20Best%20Practices%20for%20Operation%20Security%20in%20Proximity%20Tracing.pdf
github.com/DP-3T/documents/blob/master/DP3T%20-%20Best%20Practices%20for%20Operation%20Security%20in%20Proximity%20Tracing.pdf
github.com/RadarCOVID/radar-covid-android/commit/09d00e5ede801ca400d45c7feda5a99c34e4176c
github.com/RadarCOVID/radar-covid-android/commit/09d00e5ede801ca400d45c7feda5a99c34e4176c
github.com/RadarCOVID/radar-covid-android/commit/53252773ffa81e116deabcbbea3bac96872b9888
github.com/RadarCOVID/radar-covid-android/commit/53252773ffa81e116deabcbbea3bac96872b9888
github.com/RadarCOVID/radar-covid-android/commit/7fdc7debeb8a37faa77b53d9f9a1b4bbcff445ce
github.com/RadarCOVID/radar-covid-android/commit/7fdc7debeb8a37faa77b53d9f9a1b4bbcff445ce
github.com/RadarCOVID/radar-covid-android/commit/8e5d14ec60e0c1847a4733556cf34d232c27102c
github.com/RadarCOVID/radar-covid-android/commit/8e5d14ec60e0c1847a4733556cf34d232c27102c
github.com/RadarCOVID/radar-covid-android/commit/91dcfff6252055637bc9ee0c46b8f003d64a16b9
github.com/RadarCOVID/radar-covid-android/commit/91dcfff6252055637bc9ee0c46b8f003d64a16b9
github.com/RadarCOVID/radar-covid-android/commit/9627f4d69705bca68e550eefd3df1b9abe90b215
github.com/RadarCOVID/radar-covid-android/commit/9627f4d69705bca68e550eefd3df1b9abe90b215
github.com/RadarCOVID/radar-covid-android/commit/ea0c4cc837f72f58e2b5df1ecf0899743ec3cdf8
github.com/RadarCOVID/radar-covid-android/commit/ea0c4cc837f72f58e2b5df1ecf0899743ec3cdf8
github.com/RadarCOVID/radar-covid-backend-dp3t-server/commit/6d30c92cc8fcbde3ded7e9518853ef278080344d
github.com/RadarCOVID/radar-covid-backend-dp3t-server/commit/6d30c92cc8fcbde3ded7e9518853ef278080344d
github.com/RadarCOVID/radar-covid-backend-dp3t-server/commit/c37f81636250892670750e3989139fd76d4beffe
github.com/RadarCOVID/radar-covid-backend-dp3t-server/commit/c37f81636250892670750e3989139fd76d4beffe
github.com/RadarCOVID/radar-covid-ios/commit/2d1505d4858642995ea09f02f23c953acaa65195
github.com/RadarCOVID/radar-covid-ios/commit/2d1505d4858642995ea09f02f23c953acaa65195
Cvemitre.org