Analysis of SwissCovid

We present an analysis of the SwissCovid application which is currently being tested. We observe that the essential part of SwissCovid is under the control of Apple and Google. Outsourcing the heart of SwissCovid to Apple and Google has apparent benefits in terms of security but drawbacks in terms of transparency, flexibility, and sovereignty. we observe that SwissCovid is far from being open source. The Source code is kept by Microsoft. The protocol is implemented and controlled by Apple and Google. The server is hosted by Amazon. The current information suffers from unclear or incorrect statements. We confirm some of the threats which had been identified before. Users may be traced or identified by third parties while tracing is on. Diagnosed users who report using SwissCovid have a risk to be identified by a third party. Malicious users may create false encounters and inject false at-risk notifications on targeted phones. They could abuse the system to have vacations paid by authorities by self-injecting false alerts. Diagnosed users could be corrupted to sell a covidcode which would ease those attacks. Malicious apps could collect more information or do the job of SwissCovid outside of any control, and on behalf of a third party, even though SwissCovid is deactivated.


Year:
Jun 16 2020
Keywords:
Note:
This report was submitted on 5.6.2020 to https://www.melani.admin.ch/melani/en/home/public-security-test/infos.html
Additional link:
Laboratories:


Note: The status of this file is: Anyone


 Record created 2020-06-16, last modified 2020-06-17

Fulltext:
Download fulltext
PDF

Rate this document:

Rate this document:
1
2
3
 
(Not yet reviewed)