Analysis of SwissCovid

We present an analysis of the SwissCovid application which is currently being tested. We observe that the essential part of SwissCovid is under the control of Apple and Google. Outsourcing the heart of SwissCovid to Apple and Google has apparent benefits in terms of security but drawbacks in terms of transparency, flexibility, and sovereignty. we observe that SwissCovid is far from being open source. The Source code is kept by Microsoft. The protocol is implemented and controlled by Apple and Google. The server is hosted by Amazon. The current information suffers from unclear or incorrect statements. We confirm some of the threats which had been identified before. Users may be traced or identified by third parties while tracing is on. Diagnosed users who report using SwissCovid have a risk to be identified by a third party. Malicious users may create false encounters and inject false at-risk notifications on targeted phones. They could abuse the system to have vacations paid by authorities by self-injecting false alerts. Diagnosed users could be corrupted to sell a covidcode which would ease those attacks. Malicious apps could collect more information or do the job of SwissCovid outside of any control, and on behalf of a third party, even though SwissCovid is deactivated.


Année
Jun 16 2020
Mots-clefs:
Note:
This report was submitted on 5.6.2020 to https://www.melani.admin.ch/melani/en/home/public-security-test/infos.html
Lien supplémentaire:
Laboratoires:


Note: Le statut de ce fichier est: Anyone


 Notice créée le 2020-06-16, modifiée le 2020-06-17

Fichiers:
Télécharger le document
PDF

Évaluer ce document:

Rate this document:
1
2
3
 
(Pas encore évalué)