The app sends the DiD value in the clear in Bluetooth frames. This value is linked to the phone number and device Android ID and so acts as long-lived, persistent identifier of the handset. By sending this in the clear, an attacker monitoring Bluetooth frames can potentially track users movements over time.
Note that due to such concerns the Google/Apple Exposure Notification system frequently changes the identifier broadcast in Bluetooth frames, and similarly most other apps (the Singapore and Australian apps for example).
Commercial providers are already seeking to build bluetooth sensor networks specifically targetting COVID-19 surveillance of this sort by embedding SDK code within common apps, e.g. see www.cuebiq.com/visitation- insights- covid19 and arxiv.org/pdf/2009.06077.pdf.
We therefore recommend that the app be modified to frequently change the broadcast identifier so as to mitigate such linking attacks.
The app sends the DiD value in the clear in Bluetooth frames. This value is linked to the phone number and device Android ID and so acts as long-lived, persistent identifier of the handset. By sending this in the clear, an attacker monitoring Bluetooth frames can potentially track users movements over time.
Note that due to such concerns the Google/Apple Exposure Notification system frequently changes the identifier broadcast in Bluetooth frames, and similarly most other apps (the Singapore and Australian apps for example).
Commercial providers are already seeking to build bluetooth sensor networks specifically targetting COVID-19 surveillance of this sort by embedding SDK code within common apps, e.g. see www.cuebiq.com/visitation- insights- covid19 and arxiv.org/pdf/2009.06077.pdf.
We therefore recommend that the app be modified to frequently change the broadcast identifier so as to mitigate such linking attacks.