conference logo

Playlist "Remote Chaos Experience"

Exposure Notification Security


Bluetooth is still the best technology we have in a smartphone to implement exposure notifications. It is safe to use the Corona-Warn-App. Fight me! ;)

Wait, what, did Jiska just submit a talk claiming that Bluetooth is secure?! Is this just another 2020 plot twist?

No, it's not. Assuming that we need an app that enables exposure notifications based on distance measurements, Bluetooth is the best trade-off. Audio would be more accurate but requires permanent access to the microphone. GPS does not work indoors, Wi-Fi and LTE chips are less accessible through smartphone APIs, so we're left with Bluetooth. And Bluetooth LE Advertisements are actually a great choice for such a protocol, further reducing exploitability.

As someone who was involved in finding multiple Bluetooth security issues within chips and operating systems, Jiska should be more afraid of Bluetooth, you might think. However, attacking Bluetooth on an up-to-date smartphone with recent chips is very complex and requires physical proximity. Those using outdated smartphones face similar risks when browsing the Internet, without the physical proximity requirement.

There are other issues within the CWA, such as missing awareness of places like restaurants and public transport, and a health system that lacks fast test reports. We should care about real problems instead of claiming security issues that barely have an impact on average users.