Bluetooth is an essential wireless standard for short-distance and low-power wireless networks. Health departments’ contact-tracing applications depended on Bluetooth technology to prevent infectious diseases from spreading, especially COVID-19. The security threats of the Bluetooth-based contact-tracing applications increased because an adversary can use them as surveillance tools that violate the user’s privacy and revealpersonal information. The Bluetooth standard mainly depends on the device address in its authenticated pairing mechanism (Secure Simple Pairing), which can collect with off-the-shelf hardware and software and leads to a tracking attack. To avoid the risk of tracking based on this security vulnerability in the Bluetooth protocol, we suggest a novel authentication protocol based on a noninteractive zero-knowledge scheme to substitute the authentication protocol used in the Bluetooth standard. The new protocol can replace the authentication protocol in the Bluetooth stack without any modification in the device pairing flow. Finally, we prove the security of our proposed scheme against the man-in-themiddle attack and tracking attack. A performance comparison with the authentication algorithm in the BLE standard shows that our method mitigates the tracking attack with low communication messages. Our results help enhance the contact-tracing application’s security in which Bluetooth access is available.
Read full abstract