For the RKI Corona warning app to work, Bluetooth must be permanently activated on the smartphone. Many users do not want to install the application because they fear that hackers could misuse the radio connection for attacks. Is the concern justified?
The Corona Warning App of the Robert Koch Institute (RKI) has started successfully, and the application has already downloaded 12.2 million users (as of June 23). However, many people are still reluctant to install the app. The reason given is often that the permanently activated Bluetooth function for contacting other cell phones is not safe, hackers could use it for attacks. The concern is not entirely unjustified, in the past the radio standard repeatedly showed security gaps. But is the danger really so great that you should do without the Corona warning app?
Updates protect smartphones
The security company ERNW described one of the most critical Bluetooth vulnerabilities in recent years in its blog in early February. "BlueFrag" theoretically allows hackers to tap personal data from an Android smartphone or even to install malware. All you need is the specific MAC address of the cell phone, which is used to identify a device in the network. All Android versions older than version 10 were probably affected. ERNW had already informed Google in November, which is why a patch was available in February that closed the gap.
The case shows that smartphones, whose software is kept up to date, are largely secure against attacks even with permanently activated Bluetooth. However, the problem is that some smartphone manufacturers take too much time before passing on a security update. In addition, Android smartphones generally only receive patches for three years, so gaps are often not closed on older devices.
A "BlueFrag" attack is unlikely even then. Because for hackers this involves a relatively high level of effort, which actually only pays off if they have a specific goal. An attacker must be close to the victim, who must have activated WLAN on his device in addition to Bluetooth. And even then, not all devices will work if they use a random MAC address when searching for access points.
Big effort for hackers
IPhones can also be attacked via Bluetooth. Only in May did an international team of researchers report a vulnerability that affects both iOS and Android devices. An attack can take place via a computer pretending to be a device that was already paired with the smartphone. This eliminates the usual pairing process at first contact and the connection is established automatically.
Again, the problem was reported to manufacturers and the Bluetooth SIG (Special Interest Group) at the end of 2019. Patches have been available since December. And for attackers it is anything but child's play to exploit the "BIAS" vulnerability. Among other things, the user has to help the attacker with an error when comparing the codes. In addition, access fails from the outset if a device uses Bluetooth LE (Low Energy). And the Corona warning app uses this standard.
In May, the Federal Office for Information Security (BSI) also warned of a security vulnerability discovered by the Technical University of Munich, which can cause so-called method confusion attacks. An attacker switches the pairing communication between a smartphone and another device and picks up the negotiated coupling code. Theoretically, this also works with Bluetooth LE. However, no pairing takes place when using the Corona warning app. It only sends out small data packets that are received by other cell phones. And of course there are also security updates for this vulnerability.
Older androids are not always safe
Ultimately, it can be said that smartphones with which the software is kept up to date have no fear of permanently activated Bluetooth. However, this does not necessarily apply to older devices that may not have received updates for a long time. The problem mainly affects Android smartphones, where you have to assume that they are unpatched if they are older than three years. All iPhones on which the Corona warning app is running are up to date, even if users carry out the offered updates.
But even with elderly Android phones, the risk is probably low, since it is not worth it for ordinary criminals to attack normal users via Bluetooth. The hacker must be within Bluetooth range and put in a lot of effort without knowing if he can do much with his prey. It is not without reason that most warnings about Bluetooth vulnerabilities say that it has not yet been known that they have already been exploited.
No reason to forego the app
There is no one-hundred percent security, a residual risk remains. But that applies to all network connections. And who always disconnects their computer from the Internet when they don't need it? Caution is advised, but theoretically possible Bluetooth attacks are no reason to forego the Corona warning app, where even the Chaos Computer Club has not found any security problems. Hardly anything will change in this regard, because upcoming updates will remain under the control of the general public as an open source project.
. (tagsToTranslate) Technology (t) Corona Crisis (t) Corona Viruses (t) Apps (t) Android Apps (t) iOS Apps (t) Sars-Cov-2 (t) Covid-19 (t) Robert Koch Institute