In Switzerland, the security of the SwissCovid application, which has been tested since the beginning of the month with certain categories of the population, raises questions. The Federal Office of Computing and Telecommunications and the Confederation’s IT Intervention Group have judged that the contact tracking application offers a high degree of security and protection of privacy, reports the agency. press release.
But on the other hand, two cryptography experts have pointed out a risk of hacking. According to the analysis of Serge Vaudenay, researcher at the Federal Polytechnic School of Lausanne (EPFL), and Martin Vuagnoux, of the company Base23, the problem affects the API of Apple and Google which is operated by SwissCovid. According to them, “The data broadcast by Bluetooth can be modified maliciously”, which can lead to attacks by spreading false positives.
“Anyone can listen to the Bluetooth“ postilions ”that you emit. Even more than 10 meters away or even remotely via other applications. For example I can pick them up, see them, filter them. I detect those associated with SwissCovid. With a piece of code, I can modify them and I can store them and I have two hours to transmit them to other places in the city ”, explains Paul-Olivier Dehaye, another Swiss expert, to RTS.
Malandrins could exploit this vulnerability to spread false positives to certain places in order to close them or unnecessarily isolate their employees.
EPFL, at the origin of the SwissCovid app but also of the technical solution proposed by Apple and Google, and the Confederation declared to RTS that the risk was known and would be investigated. A report is planned at the end of the experimentation phase.
In addition, it is this week that Germany will launch its contact tracking application, said the country’s Minister of Health. Developed in particular by Deutsche Telekom and SAP, it will be based on the API of Apple and Google.