Mobile devices such as phones, tablets, and wearables enable proximity
services on a large scale. These services use wireless technologies (such as
Wi-Fi and Bluetooth) to connect users within a specific range and exchange
information. Proximity information ranges from general-purpose files and
contacts to privacy-preserving COVID-19 proximity identifiers. Since these
services affect millions of mobile users worldwide, their security against
cyber threats is paramount. It is not pleasant if an attacker in proximity
(or even remotely) can eavesdrop on private communication or tamper with
personal data. However, adopting (even essential) security mechanisms for
proximity services is easy in theory but pretty hard in practice. For example,
it is challenging to provide confidentiality and authenticity while at the
same time provide energy-efficient and accurate proximity tracing. On top
of that, a usable proximity service has to scale well with the number of
users and provide the same quality of services across different software and
hardware ecosystems (e.g., Android and iOS) and usage condition (e.g., indoor
and outdoor). In this talk, we look at two commercial proximity services.
First, Google’s Nearby Connections (NC) is an API to connect Android devices
using a combination of Wi-Fi and Bluetooth and without requiring an Internet
connection. Second, Google/Apple’s Exposure Notification (EN) framework.
EN powers most COVID-19 contact-tracing mobile applications in Europe,
including the ones used in Italy, Germany, and Switzerland. Throughout the
talk, the audience will learn, among others, real-world proximity services'
architectures, pitfalls, vulnerabilities, attacks, countermeasures, and
related research trends.
