Abstract
The digital contact tracing applications are one of the many initiatives to fight the COVID-19 virus. Some of these Apps use the Exposure Notification (EN) system available on Google and Apple's operating systems. However, EN-based contact tracing Apps depend on the availability of Bluetooth interfaces to exchange proximity identifiers, which, if compromised, directly impact their effectiveness. This paper discloses and details the Advertising Overflow attack, a novel internal Denial of Service (DoS) attack targeting the EN system on Android devices. The attack is performed by a malicious App that occupies all the Bluetooth advertising slots in an Android device, effectively blocking any advertising attempt of EN or other Apps. The impact of the disclosed attack and other previously disclosed DoS-based attacks, namely Battery Exhaustion and Storage Drain, were tested using two target smartphones and other six smartphones as attackers. The results show that the Battery Exhaustion attack imposes a battery discharge rate 1.95 times higher than in the normal operation scenario. Regarding the Storage Drain, the storage usage increased more than 30 times when compared to the normal operation scenario results. The results of the novel attack reveal that a malicious App can prevent any other App to place their Bluetooth advertisements, for any chosen time period, thus canceling the operation of the EN system and compromising the efficiency of any COVID contact tracing App using this system.
Highlights
The worldwide spread of the COVID-19 virus captured society’s attention and pushed for efforts to contain and mitigate the impact and the effects of the current pandemic
One of the strategies adopted by governments and countries’ health authorities consisted of relying on digital contact tracing applications, to enable citizens to monitor their exposure to COVID-19
3% of battery discharge in one hour can be considered as not relevant, if the number of attackers increase, higher amounts of Rolling Proximity Identifier (RPI) will be sent, and this would increase the ratio between the baseline and attack results, presenting more impact Performing this attack with a larger volume of advertisements may generate a noticeable battery drain, especially in older devices
Summary
The worldwide spread of the COVID-19 virus captured society’s attention and pushed for efforts to contain and mitigate the impact and the effects of the current pandemic. 4) Battery Exhaustion - This attack is accomplished when an attacker sends large quantities of RPIs to a target exhausting its battery This Denial of Service (DoS)based attack is mentioned in [18], [28], and [29], and the authors highlight that the users tend to reject and uninstall the Contact Tracing Apps assuming that they will increase of the battery consumption rate. To mitigate these attacks, authors in [18] propose to use a proof-of-work to check if a received message is valid when under a high request load. None of the related works on bugs, attacks and vulnerabilities in EN targets the exhaustion of the Bluetooth advertisement slots
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
