Threat Modeling Apple and Google’s Covid-19 Contact Tracing Technology

PART 1 OF THREAT MODELING CONTACT TRACING TECHNOLOGIES.

On Friday April 10, 2020 Apple and Google announced they would be collaborating to develop a technology solution to the COVID-19 pandemic by implementing contact tracing on mobile devices such as cellphones. Yes, your cellphone would like to help you by keeping track of all the people you come in contact with! If you are like me and value your privacy, this sounds pretty scary right? Also, if Apple and Google can track who I am in contact with, can hackers also track me? You probably have a lot of questions. Well, let’s take a closer look at the design of the Apple-Google Contact Tracing technology and see if we can help answer those questions.

Q: Is this a new technology for Apple and Google to collect even more data about me?

A: No.

The first thing that potential users of this this technology should understand is that this is a “Privacy-Preserving Contact Tracing” solution. What does that mean exactly? It means that this solution was built with preserving your privacy, anonymity, and security central to its design.

Q: How can Apple and Google’s track who I have come in contact without compromising my privacy and those who I come in contact with?

A: Crypto.

Cryptography, the fundamental underlying technology that makes things like digital currencies such as Bitcoin anonymous and attractive to even those with the highest privacy concerns are in play here.

Q: Crypto is kind of a buzz word… Can you explain this to me?

A: Yes.

Let’s get down to the heart of how Apple and Google’s Privacy-Preserving Contact Tracing solution actually works. Each mobile device generates its own SHA-256 one-way hash on the device itself which is used as a key. The key is salted, randomize and all that good stuff. This is known as the “Tracing Key.” The Tracing Key is like a fingerprint for the mobile device and will be unique to all the other Tracing Keys generated on other mobile devices. It’s important to know that this key is generated on the mobile device itself and is never sent to Google or Apple for tracking someone individually. Remember, this is a Privacy-Preserving Contact Tracing solution.

Once the mobile device has generated the Tracing Key securely on the device itself, it then uses this key to generate a “Daily Tracing Key.” This key is generated every 24 hours. The device then uses the Daily Tracing Key to generate a “Rolling Proximity Identifier.” The Rolling Proximity Identifier is what is broadcasted to other phones via Bluetooth and changes every 15 minutes.

Q: If the crypto in place is so anonymous, then how can Apple and Google alert me if I had a Covid-19 exposure?

A: Daily Tracing Keys.

The way Apple Google Privacy-Preserving Contact Tracing solution is implemented, the Daily Tracing Keys will not leave the device unless you alert it to being associated with confirmed Covid-19 case. Remember, the Daily Tracing Keys dose not identify an individual or their mobile device. The Daily Tracing Keys are never broadcasted over Bluetooth to other phones for contact tracing. Only the Rolling Proximity Identifier is broadcasted to other mobile devices using Bluetooth. When the mobile device is confirmed to be associated with a confirmed Covid-19 case, the Daily Tracing Keys for only the past 14 days are sent to Apple and Google’s Contact Tracing web service API. Those Daily Tracing Keys are then distributed to all of the mobile devices performing contact tracing. The phone then generates all the possible Rolling Proximity Identifiers associated with the 14 Daily Tracing Keys sent to Apple and Google to see if it matches any of the Rolling Proximity Identifier codes your mobile device has come in contact with. The process looks like this:

Q: Will hackers be able to track my mobile device by listening to my Bluetooth broadcasts?

A: No.

The mobile device only broadcasts Rolling Proximity Identifiers which change every 15 minutes.

Q: How will the Apple Google Contact Tracing solution prevent abuse cases such as people saying they are sick when they are not?

A: This will likely depend on who develops the app which consume this new service.

This is by far the biggest question people have regarding the new Apple Google Contact Tracing technology. These are security control questions for the application boundary. Contract Tracing apps, written by developers and organizations that will use the new Apple Google Privacy-Preserving Contact Tracing service will need to implement compensating controls to prevent abuse cases such as falsely alerting other mobile devices that they were in contact with someone infected with Covid-19.

To prevent abuse cases such as this, it will likely require a validation process from a healthcare professional at the application level. Remember, everything we discussed so far is how this technology will work at the service level.

There are other unknown questions surrounding the application boundary for the apps written to use this new technology. Once applications are developed to consume this service, we will have enough data to understand how this probable abuse case will be remediated.

Please stay tuned for other blog posts on this subject where we plan to answer the question above along with some runner up questions about backend data controls such as: