SecMT'21 Talk About Security of Proximity Services
Why is Hard to Secure Mobile Proximity Services
Mobile devices such as phones, tablets, and wearables enable proximity services on a large scale. These services use wireless technologies (such as Wi-Fi and Bluetooth) to connect users within a specific range and exchange information. Proximity information ranges from general-purpose files and contacts to privacy-preserving COVID-19 proximity identifiers. Since these services affect millions of mobile users worldwide, their security against cyber threats is paramount. It is not pleasant if an attacker in proximity (or even remotely) can eavesdrop on private communication or tamper with personal data. However, adopting (even essential) security mechanisms for proximity services is easy in theory but pretty hard in practice. For example, it is challenging to provide confidentiality and authenticity while at the same time provide energy-efficient and accurate proximity tracing. On top of that, a usable proximity service has to scale well with the number of users and provide the same quality of services across different software and hardware ecosystems (e.g., Android and iOS) and usage condition (e.g., indoor and outdoor). In this talk, we look at two commercial proximity services. First, Google’s Nearby Connections (NC) is an API to connect Android devices using a combination of Wi-Fi and Bluetooth and without requiring an Internet connection. Second, Google/Apple’s Exposure Notification (EN) framework. EN powers most COVID-19 contact-tracing mobile applications in Europe, including the ones used in Italy, Germany, and Switzerland. Throughout the talk, the audience will learn, among others, real-world proximity services' architectures, pitfalls, vulnerabilities, attacks, countermeasures, and related research trends.