Digital tracing: Bluetooth as the weak link
Mobile tracing continues to make a name for itself.
Apprehended as a solution to help contain the evolution of the pandemic, in recent times a significant vulnerability has been raised regarding one of the key tools, Bluetooth.This technology had been envisioned as the center of application use, but could be more problematic than it looks. Indeed, constantly leaving its Bluetooth activated, especially for devices that have not been updated for quite some time, could expose them to potential computer attacks. Since the beginning of the project, it must be admitted, that the use of Bluetooth technology for the operation of the application initiated by the government has not really been unanimous among specialists. Indeed, for these experts and based on practice, Bluetooth does not have a very good reputation in terms of computer security, the network is not robust.
And it is vulnerable to several forms of cyberattack. Even the National Information Systems Security Agency has tended to reveal the weaknesses of Bluetooth. And this, the French gendarme of cybersecurity de facto and on several occasions, describes it on his website. It is recalled that in its recommendations on digital nomadism in 2018, ANSSI advised: "disable services that are not business-necessary and potentially pose a source of threats, such as geolocation, Bluetooth, NFC 6, etc." Automatically, the future application poses the problem. The need to require Bluetooth to be activated at all times. Otherwise, the information will not be able to be collected and shared properly. To sum up the future application will put users at greater risk, given the computer security and recommendations of ANSSI.
To draw attention to the danger posed by StopCoviD, a group of 15 researchers specializing in cybersecurity or the right to computer science recently published an analysis of the adverse effects of the tracking application. The analysis in question was titled: "Anonymous tracing, dangerous oxymoron. ». These remarks read: "Its use can indeed open security vulnerabilities that would exploit bugs in the phone's Bluetooth system. Concretely, the Blueborne attack published in 2017 allowed to take control of many equipment (computers, telephone, …) exploiting this type of bug. If some phones haven't been updated since 2017, activating Bluetooth could be very dangerous! ».
It must also be taken into account that this technology (created since 1994) was not created for such conditions. Its development has been inexpensive and the security issue has not really been the basis. "Bluetooth is based on an ancient foundation of standards. This is not currently a protocol associated with good quality in terms of safety. The original goal was to be an open technology by nature, in order to allow an object to connect very easily at a short distance and without user intervention. Bluetooth was not secured from the start for current requirement levels. "Loïc Guézo, an expert in computer security and general secretary of the French information security club, "Le Clusif."
Many smartphones are equipped with this technology, and a very large part have not been updated for a very long time. Vulnerabilities are bound to be part of the game. This is the main risk of deploying the French government's tracking application. There are smartphones in circulation that do not have the latest version of Bluetooth. "Some terminals either because they are too old or because they are entry-level terminals, they cannot benefit from the latest updates. explains the co-founder of Sylink, a security solutions provider, David Legeay.
The tools to take advantage of Bluetooth vulnerabilities do exist. The use of some do not even require basic knowledge of computer hacking. David Legeay even says: "Some of these tools are even available for free on the net. ».
Now access an unlimited number of passwords: