BEGIN:VCALENDAR
VERSION:2.0
PRODID:IEEE vTools.Events//EN
CALSCALE:GREGORIAN
BEGIN:VTIMEZONE
TZID:MST
BEGIN:STANDARD
DTSTART:19671029T010000
TZOFFSETFROM:-0600
TZOFFSETTO:-0700
TZNAME:MST
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20210827T043446Z
UID:62250D8B-1B29-4557-BF5E-5494C3687872
DTSTART;TZID=MST:20210826T160000
DTEND;TZID=MST:20210826T170000
DESCRIPTION:Proximity tracing apps have been proposed as an aid in dealing 
 with the COVID-19 crisis. Some of those apps leverage attenuation of Bluet
 ooth beacons from mobile devices to build a record of proximate encounters
  between a pair of device owners. The underlying protocols are known to su
 ffer from false positive and re-identification attacks.\n\nDr. Joel Reardo
 n\, Assistant professor at the University of Calgary\, presents evidence t
 hat the attacker&#39;s difficulty in mounting such attacks has been overestima
 ted. Indeed\, an attacker leveraging a moderately successful app or SDK wi
 th Bluetooth and location access can eavesdrop and interfere with these pr
 oximity tracing systems at no hardware cost and perform these attacks agai
 nst users who do not have this app or SDK installed. We describe concrete 
 examples of actors who would be in a good position to execute such attacks
 .\n\nHe further presents a novel attack\, namely a biosurveillance attack\
 , which allows the attacker to monitor the exposure risk of a smartphone u
 ser who installs their app or SDK but who does not use any contact tracing
  system and may falsely believe they have opted out of the system.\n\nThro
 ugh traffic auditing with an instrumented testbed\, he characterizes preci
 sely the behaviour of one such SDK that he found in a handful of apps but 
 installed on more than one hundred million mobile devices. Its behaviour i
 s functionally indistinguishable from a re-identification or biosurveillan
 ce attack and capable of executing a false positive attack with minimal ef
 fort. He also discusses how easily an attacker could acquire a position co
 nducive to such attacks by leveraging the lax logic for granting permissio
 ns to apps n the Android framework: any app with some geolocation permissi
 on could acquire the necessary Bluetooth permission through an upgrade\, w
 ithout any additional user prompt.\n\nSpeaker(s): Joel Reardon\, \n\nVirtu
 al: https://events.vtools.ieee.org/m/278520
LOCATION:Virtual: https://events.vtools.ieee.org/m/278520
ORGANIZER:alireza.imani@ucaglary.ca
SEQUENCE:15
SUMMARY:Proximity Tracing in an Ecosystem of Surveillance Capitalism
URL;VALUE=URI:https://events.vtools.ieee.org/m/278520
X-ALT-DESC:Description: &lt;br /&gt;&lt;p&gt;Proximity tracing apps have been proposed 
 as an aid in dealing with the COVID-19 crisis. Some of those apps leverage
  attenuation of Bluetooth beacons from mobile devices to build a record of
  proximate encounters between a pair of device owners. The underlying prot
 ocols are known to suffer from false positive and re-identification attack
 s.&lt;/p&gt;\n&lt;p&gt;&lt;strong&gt;Dr. Joel Reardon&lt;/strong&gt;\, Assistant professor at the 
 University of Calgary\, presents evidence that the attacker&#39;s difficulty i
 n mounting such attacks has been overestimated. Indeed\, an attacker lever
 aging a moderately successful app or SDK with Bluetooth and location acces
 s can eavesdrop and interfere with these proximity tracing systems at no h
 ardware cost and perform these attacks against users who do not have this 
 app or SDK installed. We describe concrete examples of actors who would be
  in a good position to execute such attacks.&lt;/p&gt;\n&lt;div&gt;\n&lt;p&gt;He further pre
 sents a novel attack\, namely a biosurveillance attack\, which allows the 
 attacker to monitor the exposure risk of a smartphone user who installs th
 eir app or SDK but who does not use any contact tracing system and may fal
 sely believe they have opted out of the system.&amp;nbsp\;&lt;/p&gt;\n&lt;p&gt;Through tra
 ffic auditing with an instrumented testbed\, he characterizes precisely th
 e behaviour of one such SDK that he found in a handful of apps but install
 ed on more than one hundred million mobile devices. Its behaviour is funct
 ionally indistinguishable from a re-identification or biosurveillance atta
 ck and capable of executing a false positive attack with minimal effort. H
 e also discusses how easily an attacker could acquire a position conducive
  to such attacks by leveraging the lax logic for granting permissions to a
 pps n the Android framework: any app with some geolocation permission coul
 d acquire the necessary Bluetooth permission through an upgrade\, without 
 any additional user prompt.&lt;/p&gt;\n&lt;/div&gt;
END:VEVENT
END:VCALENDAR