Replay attack starting from a testcenter for a lot of false positives?

[JsBergbau]

Your Question

• Documentation File:
• Line / Paragraph:
• Question:

Referring to this corona-warn-app/cwa-documentation#228 issue which was mainly about tampering with the encrypted signal strenght level. But it also mentioned the scenario of a replay attack. An attacker could place a receiver at a corona test centre, so there is a high chance, that there will be positive packets received. Then he retrasmits them with a high signal level at crowded places. He could for example direct the signal with a high gain directional antenna to an office building (or even at the health department, police or other sensitive areas). Then a lot of employees get warnings of a possible infection and self quarantine. For that time these places can work only very limited, very bad if this is health department, police or any other critical infrastructure.

Is this kind of attack really still possible? Especially is the time interval of 2h still true? So if you capture one packet you could replay it for 2h, making the receiver think this contact lasted 2 hours.

[JsBergbau]

This issue is now open for more than a week. I would very appreciate if there is an answer from official developers since this is from my side of view a quite significant issue as it could be used to unsettle people a lot and even worse things like described in the first post.

[ndegendogo]

Disclaimer: I am not one of the project maintainers here.

@JsBergbau Still I think I can clarify one misunderstanding on your side.

So if you capture one packet you could replay it for 2h, making the receiver think this contact lasted 2 hours.

The captured packet has some sort of timestamp encoded, which changes every 10 minutes. So, even if the attacker replays such a packet for 2 hours, he cannot fake a long duration with a single packet. The two hour validity is meant to mitigate the fact that the time of the devices might be not perfectly aligned.

You can find more details in the solution document e.g. figure 10.

[JsBergbau]

So, even if the attacker replays such a packet for 2 hours, he cannot fake a long duration with a single packet.

Thats true. But that doesn't protect a lot, since the attacker can get "fresh packets" of the same device.

Suppose attacker collects packets from one device which reports later infected. Attack starts at T=0, device emmits Paket 1, attacker replays Paket 1 T=1, device emmits Paket 2, attacker replays Paket 1 + 2 T=2, device emmits Paket 3, attacker replays Paket 1 + 2 + 3 T=3, device emmits Paket 4, attacker replays Paket 1 + 2 + 3 + 4 and so on till 2h have passed, lets say after paket 12 if RPI changes every 10 minutes T=13, device emmits Packet 14, attacker replays Paket 3 + 4 + 5 + 6 + 7 + 8 + 9 + 10 + 11 + 12 + 13 + 14

Victims Corona App now receveives Pakets 3 + 4 + 5 + 6 + 7 + 8 + 9 + 10 + 11 + 12 + 13 + 14 with a strong signal. Will it now consider this a long exposure with a single reception or will it recognize an attack and doesn't count that encouter at all? Or does it take 3 receiving periods of all these packets (the right Packet would be enough) to get these 15 minutes period when an encouter starts getting risky?

If it doesn't count this encouter because it recognizes some attack/fake data and generates/shows no risky exposure, than an attacker can use this behaviour as a kind of DoS attack to "delete" / make real risky exposures invalid by constantly replaying old RPI-Packets.

So still hoping for an official answer.

[not-a-feature]

Disclaimer: I am not one of the project maintainers here.

As far as I understand the documentation this could be done in theory. But to do this in real life, there are several difficulties to overcome.

• Only 5-8% of the patients are positive. [1] Only about 10% of these positive patients are sharing their keys. [2] --> Every 100th Key is usable.

• First of all one "patient" is usually no longer than 20 minutes at a testing site. Therefore only a few packages could be intercepted and replayed.

• In some testing sites the patients stay inside their car the whole time.

• Capturing these packages is also problematic. Many testing sites are taking place in wide places which are fully enclosed with a single entry. (At the testing I work, the security-personnel keeps an eye on people straying around)

-Even an antenna with a great transmitter power wouldn't get a signal strong enough to get a "high risk" contact if these people are sitting in a closed building.

I share your concerns but I highly doubt that it would be practical. This doesn't mean that no one should take a deeper look into this issue.

References

• [1] https://www.rki.de/DE/Content/InfAZ/N/Neuartiges_Coronavirus/Daten/Testzahlen-gesamt.html
• [2] https://micb25.github.io/dka/

[JsBergbau]

Thanks for your detailed reply. Just some thoughts.

Only about 10% of these positive patients are sharing their keys.

Thats a very bad rate. Is it really that low? I can't understand why people don't share their keys.

First of all one "patient" is usually no longer than 20 minutes at a testing site. Therefore only a few packages could be intercepted and replayed.

20 min is far greater than 15 minutes when Corona Warn App begins to flag the contact as risky.

In some testing sites the patients stay inside their car the whole time.

How would that prevent or lower the risk of the attack? I've made tests where CWA BLE packets can be received when walking in rural areas where bee-line to next house is about 20 metres. I guess they don't have their phones near the window, but a few meteres behind.

Capturing these packages is also problematic. Many testing sites are taking place in wide places which are fully enclosed with a single entry. The testing centres I've seen were made of tents. These almost don't attenuate the signal stronger than pure air. Getting there is also no problem, since they are at a trainstation or a motorway rest area. So beeing there isn't suspicious at all. But still you can place a Rasbperry PI Zero W like described here https://www.heise.de/select/ct/2017/22/1508780300482172 It has also very good reception capabilities. You can then transmit the data via LoRa, if you live farther away you can trasmit the data e.g. via the ThingsNetwork and LoRa.

-Even an antenna with a great transmitter power wouldn't get a signal strong enough to get a "high risk" contact if these people are sitting in a closed building.

Beginning at which signal strength considers the app a contact risky? I know it depends on the transmit power of the phones which is tranmitted in the AEM , but do phones differ so much? I think it is "only" about +-5 dBm. So what is about the lowerst dBm level the App considers as risky?

There are 24 dBm antennas and 39 dBm / 8 Watt 2,4 GHz amplifiers available, together about 100 €, so giving a total of +63 dBm, compared to 10 dBm of a Smartphone gives this 53 dBm more transmit power than a smartphone. If I calculated correctly 53 db is 200,000 times more power than an average smartphone. Taking the squareroot this is more than 447 times more reach than a standard smartphone. So I would say, yes you can get a strong enough signal even for people sitting in a closed building.

[ndegendogo]

Disclaimer: I am not one of the project maintainers here.

The Exposure Notifications protocol we are discussing here was designed and implemented by Google and Apple. So cwa has only the options to use it as-is-provided or to roll their own.

As @not-a-feature already pointed out, such a replay attack might be feasible, but maybe not on the level of a "script-kiddy".

On the other side: the attacker does not even need to do the replay. Instead he can simply upload his own keys with the TeleTAN procedure to achieve a similar result.

[JsBergbau]

As mentioned in the documentation, you get the TeleTAN from health authority (“Gesundheitsamt”). So this shouldn't be possible for an attacker to get one without infection. And even if he gets he needs equipment for transmitting it over a wide are with a strong signal.

The Exposure Notifications protocol we are discussing here was designed and implemented by Google and Apple. So cwa has only the options to use it as-is-provided or to roll their own.

Still these details should be discussed with Apple and Google and the developers have the impact to ask them. As a normal user it is even very hard to get in contact with google at all, not talking about getting an answer.

[Ein-Tim]

@JsBergbau

I'm also not one of the project maintainers here.

As mentioned in the documentation, you get the TeleTAN from health authority (“Gesundheitsamt”). So this shouldn't be possible for an attacker to get one without infection.

Where did you find this statement in the documentation?

You can get a TeleTAN by simply calling the CWA-Verification-Hotline, they will ask you some questions (to try to make sure that you are really infected) but at the end this is the simplest possibility to be able to warn others, without being infected.

[JsBergbau]

Where did you find this statement in the documentation?

https://github.com/corona-warn-app/cwa-documentation/search?q=teletan&unscoped_q=teletan

You can get a TeleTAN by simply calling the CWA-Verification-Hotline, they will ask you some questions (to try to make sure that you are really infected) but at the end this is the simplest possibility to be able to warn others, without being infected.

That makes the attack even worse. From a quite high probability of getting "infected packets" from a testcenter, reduced by the fact that only 10 % of the people share the result we now get a 100 % chance of trasmitting infected packets.

[Ein-Tim]

@JsBergbau Did you read the "Datenschutzfolgeabschätzung" Document? Especially Annex 5 could be interesting for you.

[ndegendogo]

Disclaimer: I am not one of the project maintainers here.

That makes the attack even worse.

Or, to rephrase: Before I worry about reply attack, I should worry about misuse of the TeleTAN. Agreed.

But: although the TeleTAN procedure was originally designed only as fallback for rare cases, now everybody is glad that it is in place; because still not all labs are connected to the cwa infrastructure with the QR code. Security is always a balance. You make it harder to cheat - and at the same time you might lock out legitimate usage.

[JsBergbau]

Here https://aircable.co/shop/product/acc1615-aircable-host-xr5-85 is also a professional bluetooth repeater sold which can reach, with the right antennas up to 30 km. However such a range is not needed, but this device probably could also be used to send cwa packets over a great distance to generate false positives.

[Ein-Tim]

@dsarkar You applied the https://github.com/corona-warn-app/cwa-documentation/labels/in%20review label here more than two years ago. Was the review meanwhile finished? What were the out comings of it?