[Security] Potential abuser story: Quarantine enemies after being tested positive oneself

[corneliusroemer]

I don't think this abuser story has been documented yet, so following @mynchau's suggestion in #71 I open a new issue here with a realistic abuser story.

It's a feasible attack with significant benefit to the attacker. The only prerequisite is that the attacker is tested positively. Then they can execute their attack and get anyone they like quarantined (most likely people they dislike or who compete with them).

Scenario is as follows:

1. You are tested positive
2. You give your phone to a friend who will walk nearby whoever they want to quarantine: Neighbour they don't like; if they run a shop, they have their friend walk into a competitor's shop etc.
3. Only then you report your positive test result in the app by entering the TAN
4. The people who your friend walked past will get notified that they've been exposed, need to quarantine.

No one's health is actually directly harmed by this but still it affects many people negatively AND the attacker has a potential benefit.

I wonder what @sventuerpe thinks of this.

[rec0de]

Note that this attack requires physical proximity (thus does not scale well) and is in no way inherent to the app usage itself.

The attack would be arguably more efficient exploiting traditional contact tracing by stating you were in close proximity to the victim.

Also, I'd guess generating a false-positive exposure notification would not necessarily result in a full 14 day quarantine if the victim gets tested soon after receiving the notification.

[sventuerpe]

@corneliusroemer This is an interesting and original scenario, the more so as it requires no particular skills or technical sophistication on the perpetrator’s part. However, in addition to the constraints mentioned by @rec0de I think the prerequisite of a positive test result limits the risk unless there were ways to obtain such results at will.

How long can test results be used to trigger notifications? To what extent has #41 been addressed?

[pdehaye]

@rec0de @sventuerpe You might want to look at this thread to reconsider your assumptions regarding the need for emitting at a higher signal strength.

https://github.com/corona-warn-app/cwa-documentation/issues/228

[corneliusroemer]

@rec0de You are right, you can simply claim to the contact tracing official that you have been in contact with your "enemy". So yes, no need for getting your phone near your enemy if you are positively tested and can just tell the contact tracer. One hindering factor to telling a contact tracer is that it's psychologically much harder to lie to a human than to simply move an app around and type into it. Less personal, feels less dirty - at least that's how I would feel if I was an abuser wanting to get my enemy quarantined.

Issue #41 and particularly this comment from @wuerzebesser https://github.com/corona-warn-app/cwa-documentation/issues/41#issuecomment-629068432 provide an alterenative, slightly more far-fetched abuse using a black market for TANs. Everyone who gets diagnosed can get a TAN, so instead of using, it they sell it on to someone else who can then quarantine their enemy for cheap, not having to be positive themselve. Just buying a TAN off the black market.

Actually, it turns out that in their comment, @wuerzebesser already stated the abuser story I based this issue on. I didn't know about this. Maybe that's proof that the idea isn't as far-fetched and original as one may think if two people have the same idea independently.

By the way, I don't think that #41 has been resolved. The TAN is, AFAIK, active for an hour - enough to pass it on - especially if the timing has been pre-arranged. Once I'm tested, I don't need to call immediately to get my TAN. I can sell first, arrange a time for the buyer to get ready, then get the TAN.

Also, as pointed out in #167, brute forcing a valid TAN isn't as hard as it may seem: One client 1 month, 1000 parallel clients 1 hour. But yes, this requires technical sophistication. But, the existence of potential buyers of black market TANs mean that brute forced TANs suddenly have a value and it may pay off for one single sophisticated brute forcer to supply the entire market. So all you end up needing is one sophisticated supplier of brute forced TANs and many unsophisticated but motivated buyers of brute forced TANs who can quarantine their enemies.

Anyways, thinking too hard about these scenarios, I become blinded towards evaluating their likelihood. I leave it to others to comment on the impact.

[cfritzsche]

What’s interesting about this attack vector is that it combines well with the weakness of the teleTAN hotline. It could be easy to get a teleTAN even without any positive test, depending on how well they do their job. One more reason to hope the labs will all switch to the QR mechanism soon, but even then it is voluntary to the user and this attacker could say he chose not to use the QR code.

[mh-]

@corneliusroemer I find your statement "getting an enemy quarantined" quite misleading. Apart from the fact that you need your phone very close to your enemy's smartphone for a long time, to get the risk assessment to trigger in the first place, this will in no way cause someone to "get quarantined".

You could create small-scale nuisance for a few people this way, and someone who is prepared to do this, will find lots of other, easier ways. --> This does not change my opinion that the Corona Warn App system (based on Google/Apple Exposure Notifications) offer a good trade-off. Just my EUR 0.02.

[daimpi]

Related: This and other attack vectors (e.g. relay attacks) have been documented before. See my comment here: https://github.com/corona-warn-app/cwa-documentation/issues/273#issuecomment-645322925.

As I stated there: imho it comes down to the scalability and risk/reward tradeoff for each of the attacks. My personal feeling (as a non-expert) is the same as mh-: the CWA seems to be fine on this spectrum. This shouldn't mean that improvements (where possible) are unnecessary, but certain risks (e.g. relay attacks) are inherent to the protocol and cannot be mitigated. But as long as the risk/reward tradeoff for an attacker is sufficiently bad that shouldn't be too much of a problem.

[SebastianWolf-SAP]

Dear @corneliusroemer, dear contributors,

thank you very much for bringing that story up. We've read the comments with big interest. However, as @rec0de and @mh- already outlined, there is no chance that a red flag in the app will leads to anybody being forced to stay in quarantine.

The app's warning serves as a hint to contact the health care system. If you are warned by the app, you should contact your family doctor's office and clarify the further procedure. Only if you test positive for Corona, you may receive a sick note and need to stay home.

Other criminal activities which are unrelated to the app, such as on-purpose infections of other people after becoming sick (which could also happen in your abuser story) are not part of our documentation and are therefore also not listed in our repositories.

Best regards, SW Corona-Warn-App Open Source Team