The Magic of the Electronic Mask: COVID Exposure Notifications System Analysis

How it all started

Many friends asked me to look at a Czech application for tracking COVID-infected people called eRouška (literal translation from Czech eMask). There are a lot of rumors around this app. For example, that an evil government has decided to establish total control over its citizens and imposes this application on them. I'm not a conspiracy theorist at all, but it really got interesting. The app uses Bluetooth to communicate with other devices in range. It writes this data to its database and receives updates from the server. If there was contact with an infected person, it sends an alert. It was rumored that after this notification, they would immediately be quarantined. 

History

The first version of the application was just awful, like all applications of this type developed in different countries. The application could not get into the App Store for a very long time, only after about a month the developers managed to somehow finish it. Then it turned out that on Apple devices it didn't really work, it just consumed the battery. To register on the server, it was necessary to enter a phone number and receive an SMS on it. That already allowed the Ministry of Health to find out who had contact with the infected. This application did not receive much popularity, and the Czech government was forced to admit that the project had failed. 

Google and Apple

After looking at this mess, Google and Apple decided to work together and created their own API for writing similar applications. Which, incidentally, gave rise to the second wave of conspiracy theories. For example, after the iOS update to version 13.5, a terrible setting appeared: Exposure Notifications, and even with the coronavirus icon.

5G, , – . « ».  API  .  API   eRouška.  « » , . ,  AES, SHA-256  HMAC, !

, . , ,  Apple  Google.  Google,  Google Play. , . , . , . 

Bluetooth

«» BLE (Bluetooth Low Energy Beacon). -, . 2013  Apple  iBeacon, 2019,  iOS 13,  Find My. , . Bluetooth  broadcast , . , , - , . , . 

,  SMS- . , ,  API Exposure Notifications. .  Temporary Exposure Key (TEK) – 16 . , .  Rolling Proximity Identifier (RPI). 10 , .  TEK   HKDF  .

: RPI Key  AEM Key.  RPI  , 10- .  AEM  . , metadata  . ,  padding-  RPI .  RPI  TEK  , . 

 RPI

TEK  , , . , , .  Google Play  :

, 14:

— , . : export.bin  export.sig.  protobuf  , , ,  TEK. 14 , , 2 . , 31 , , . . 

,  TEK,  RPI   Bluetooth, . , , , , . ,  eRouška , 15 , 2 . -. . .  TEK  , « ». ,  TEK, ,  RPI, . .

. . , :

  1. . . , . , . , , . . 

  2. - , .  SMS : , ,  eRouška. . . . , . 

, : . , .  BLE  . , - , . , , , , . 

 Google Play, .  iOS , , . , 12-15% . , , . , , 15664 , 500 . - , , . 

« , …» , , . « ». , . , , . , , . , , . , iPhone  , . , , .  GPS  , , .  RPI,  BLE beacons, , . , , , . , . , -, . , , . , . 

Therefore, take care of your data. Use modern devices, set strong passwords, do not leave an unlocked device unattended. This advice is universal and will come in handy in any situation. And don't get sick, of course!

Related links:

API for Exposure Notifications

Cryptography Specification

Exposure Notification (Apple)

eRouška




All Articles