Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.5.929

A Study on the Security Evaluations and Countermeasure of Exposure Notification Technology for Privacy-Preserving COVID-19 Contact Tracing  

Lee, Hojun (Korea University School of Cybersecurity)
Lee, Sangjin (Korea University School of Cybersecurity)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.5, 2020 , pp. 929-943 More about this Journal
Abstract
Various methods are being presented to identify the movements of COVID-19 infected persons and to protect personal privacy at the same time. Among them, 'Exposure Notification' released by Apple and Google follows a decentralized approach using Bluetooth. However, the technology must always turn on Bluetooth for use, which can create a variety of security threats. Thus, in this paper, the security assessment of 'Exposure Notification' was performed by applying 'STRIDE' and 'LINDDUN' among the security threat modeling techniques to derive all possible threats. It also presented a new Dell that derived response measures with security assessment results and improved security based on them.
Keywords
COVID-19; Contact Tracing; Threat Modeling; STRIDE; LINDDUN;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Claude Castelluccia, Nataliia Bielova, Antoine Boutet, Mathieu Cunche, Cedric Lauradoux, Daniel Le Metayer, and Vincent Roca, "ROBERT:ROBust and privacy-presERving proximity Tracing," HAL-Inria hal-02611265, May. 2020.
2 Privacy-Preserving Contact Tracing - Apple and Google, "Exposure Notification - Bluetooth Specification" https://covid19.apple.com/contacttracing, Apr. 2020.
3 Adam Shostack, Threat Modeling: Designing for Security, WILEY, pp. 109-160, Feb. 2014.
4 Michael Howard and Steve Lipner, The security development lifecycle, Microsoft Press, Jun. 2006.
5 LINDDUN, "Threat Tree Catalog" https://linddun.org/linddun-threat-catalog, Apr. 2020.
6 Serge Vaudenay, "Analysis of DP3T Between Scylla and Charybdis," IACR ePrint 2020-399, Apr. 2020.
7 Ben Seri, Gregory Vishnepolsky and Dor Zusman, "BleedingBit: The hidden attack surface within ble chips," Armis, Apr. 2020.
8 Myoungsu Kim, Junyoung Park, Eunseon Jeong, Insu Oh and Kangbin Yim, "OTA Vulnerability on User Equipment in Cloud Services," 2018 International Conference on Information Technology Systems and Innovation(ICITSI), pp. 425-428, Oct. 2018.
9 Oskari Teittinen, "Analysis of cheat detection and prevention techniques in mobile games," Master's Thesis, Aalto University, May. 2018.
10 Angela M. Lonzetta, Peter Cope, Joseph Campbell and Bassam J, Mohd, "Security vulnerabilities in Bluetooth technology as used in IoT," Journal of Sensor and Actuator Networks 7(3), Jul. 2018.
11 Ben Seri and Gregory Vishnepolsky, ARMIS, "BlueBorne Technical White Paper," Armis, Apr. 2020.
12 Veelasha Moonsamy and Lynn Batten, "Mitigating man-in-the-middle attacks on smartphones - a discussion of SSL pinning and DNSSec," Proceedings of the 12th Australian Information Security Management Conference, pp. 5-13, Jan. 2014.
13 Adam Shostack, "Experiences Threat Modeling at Microsoft" https://adam.shostack.org/modsec08/Shostack-ModSec08-Experiences-Threat-Modeling-At-Microsoft.pdf, Apr. 2020.
14 KISA, "Cryptographic Algorithm and Key Length User Guide," KISA-GD-2018-0034, Dec. 2018.
15 Sheikh Tahir Bakhsh, Halabi Hasbullah, Sabeen Tahir, Fazli Subhan and Aamir Saeed, "Dynamic load balancing through backup relay in Bluetooth scatternet," Proceedings of the 8th International Conference on Frontiers of Information Technology, pp. 1-6, Dec. 2010.
16 Yaron Gvili, "SECURITY ANALYSIS OF THE COVID-19 CONTACT TRACING SPECIFICATIONS BY APPLE INC. AND GOOGLE INC.," IACR ePrint 2020-428, Apr. 2020.