Exploit for Corona Exposure Notifications API Data Leakage CVE-2020-24721

Name: Exploit for Corona Exposure Notifications API Data Leakage CVE-2020-24721
Rating: 5 (125 reviews)
2020-09-30 | CVSS -0.1
## https://sploitus.com/exploit?id=PACKETSTORM:159419
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
  
(Corona) Exposure Notifications API  
for Apple iOS and Google Android  
risk of coercion/data leakage  
post notification  
  
CVE-2020-24721 / CVSS v3.1 score: 5.9  
AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:H/RL:U/RC:C/CR:H/IR:L  
AR:L/MAV:P/MAC:L/MPR:L/MUI:R/MS:U/MC:H/MI:N/MA:N  
  
1.12  
  
The Corona/COVID-19 Exposure Notifications API allows for the  
decentralised, highly (pseudo)anonymous notifcation of exposure to  
people that where considered (usuall based on a lab test) infectious   
in a certain period of time. And where both the receiver of the   
notification and the infected person (index) were near to each   
other for a sufficently long time. And both had this technology   
enabled on their phone.  
  
In order to prevent this technology to be used 'against' the user it is  
important that any implementation puts privacy, and control over, that  
privacy with the user.  
  
This includes protecting the users against coercion; i.e. preventing the  
situation were the user is put in a position where he or she is forced  
to reveal wether or not they have had a (recent) infection notifcation  
or not.  
  
As it stands - most (European) implementations in general, and the Dutch  
implementation specifically, are such that the user can 'swipe away' a  
exposure notifcation. And once this is done - the app reverts to its  
exact same behaviour as prior to that notification. With no evidence or  
data left behind that this user has had this notification (or not).  
  
However - the actual data and Exposure Notifications are not fully under  
control, or part of these implementations. Instead - it is handled in a  
closed part of either iOS or Android its private frameworks. And the  
respective vendors do not allow control over this (or the data) by the  
implementations.  
  
The result of this is that 'state' is left behind; even (or especially)  
when the user deletes his or her app for the phone.   
  
This means that an attacker (e.g. an employer, law enforcement, spouse,  
etc) can force the user to 'prove' wether he or she had (or had not) an  
notification. For example by insisting that the target deletes the app  
of their phone; re-installs it and then waits sufficently long for the  
app to re-download the data of the past 14 days, re-calculate wether  
there has been a notifcation and observe wether the person had, or did  
not have a notification.  
  
There are some sublte differences in how this manifests itself.  
  
a) Scenario google.  
  
When a match is made & reported by the framework; the RPI that   
made that match is not deleted from the private store of   
the OS/Framework.  
  
The prelude to an example attack is for a user that wants to hide   
the fact that he or she had a notification (or want hide the  
fact that they had none - while claiming to have had so).  
  
1) user installs app, gets a matching TEK on that RPI on day 20 &   
warning that he or she was near an infected user on day 18.  
  
Users swipes warning away.  
  
Example attack scenario is then:  
  
2) Someone with sufficent coercion powers wipes the  
application storage on day 20 (up to day 31).   
  
3) App is restarted.. App auto redownloads app TEKs for the  
past 14 days.  
  
The RPI of day 18 is still in this window.  
  
And the app _again_ shows that warning as the RPI is  
still present on the phone.  
  
b) Apple Scenario  
  
When a match is made & reported by the framework; the RPI that   
made that match is not deleted from the private store of   
the OS/Framework.  
  
The prelude to an example attack is for a user that wants to hide  
the fact that he or she had a notification (or want hide the  
fact that they had none - while claiming to have had so).  
  
1) user installs app, gets a matching TEK on the RPI   
on day 20 & warning that he or she was near an   
infected user on day 18. Users swipes warning away.  
  
2) User wants to hides this and deinstalls the app.  
  
Example attack scenario is then:  
  
2bis) Or attacker deinstalls the app.  
  
3) Someone with sufficent coercion powers reinstalls  
the app on day 20 (up to day 31).   
  
3) App is started.. App auto redownloads app TEKs  
for the past 14 days.  
  
The RPI of day 18 is still in this window.  
  
And the app _again_ shows that warning   
  
Versions affected:   
- - ------------------  
All known versions up to and including 1.5  
  
Resolution:  
- - -----------  
None at this time. Possible solutions by the vendors could  
include deletion of the RPI upon the reporting the match (much  
like the TEKs need to change after upload) and/or deletion of  
all the received RPIs when the app is deleted.   
  
Mitigations and work arounds:  
- - -----------------------------  
None at this time - apart from raising general awareness in the  
general case. For the Netherlands - specifically; the introduction  
of law and regulation, including sanctions; the creation of a   
helpdesk/enforcement team at the Justice department to go after  
the offenders and target information campaigns & FAQs.  
  
Credits and timeline  
- - --------------------  
Variations of this flaw have been documented by the DP3T team in their  
academic paper. It was found it the Apple/Google implementations during  
the build of the dutch 'Corona Melder' app (https://github.com/minvws).  
  
2020-01-18 first known description of this class of issues  
2020-04-03 first paper by DP3T team published.  
2020-05-06 confirmation of this issue with Google  
2020-05-07 confirmation of this issue with Apple  
2020-08-13 final written/formal questions sent on request (#115   
and 115.bis) as a vulnerability report.  
2020-08-13 confirmation vendor.  
2020-08-27 CVE issues by MITRE  
2020-09-13 Request vendor to provide CVE/start FD.  
2020-09-15 Versions under embargo sent to google/apple. Confirmation  
of receipt and reference # for both received.  
2020-09-15 Full disclosure timeline setting process started.  
2020-09-22 Reminder to google/apple & request to submit their  
preferred timeline/disclosure approach.   
2020-09-25 Deadline to provide timeline preferences and  
feedback passed.  
2020-09-29 Vendor informed that public disclosure is imminent.  
  
History  
- - -------  
1.09 2020-09-15 version submitted to vendors.  
1.10 2020-09-17 corrected 'prelude'; 'notification' rather than   
being an index.  
1.11 2020-09-29 full public disclosure  
  
Common Vulnerability Scoring (Version 3) and vector  
- - ---------------------------------------------------  
CVSS v3.1 score: 5.9  
AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:H/RL:U/RC:C/CR:H/IR:L  
AR:L/MAV:P/MAC:L/MPR:L/MUI:R/MS:U/MC:H/MI:N/MA:N  
  
CVSS Base Score: 5.7  
Impact Subscore: 5.2  
Exploitability Subscore: 0.5  
CVSS Temporal Score: 5.7  
CVSS Environmental Score: 5.9  
Modified Impact Subscore: 5.4  
Overall CVSS Score: 5.9  
  
1.12 / : 7901 $  
  
-----BEGIN PGP SIGNATURE-----  
  
iQEzBAEBCAAdFiEEdPSK0DAQPzUEfWzM7HvYsRM7ZKIFAl9zodYACgkQ7HvYsRM7  
ZKIctgf/arovCQHSz8tbXN2yQHswk4bR1Haut5HR8wI+GG/JzCCRk7MBiCxOeQJc  
f/+cYUCHYD63bpk+gMoj1H2p+wniEqBYxpMOvGcEPMhPprSqGTkYLQym19OJEG7X  
I61LXll2gxYNkYqz+ZeWmQvZ6r52NA4IJjP5wVYMXNtbyN5rpbTL/g+avBxtP2/N  
Wuu9IdW8iTWQGVI8i5FoXmBaEHFjwGMOMW7HChpC5/ZKEEiCPYOyfK8Lr6J6XORa  
4J2KK2GYufG/cJ74JF0/IIKcdI7/KABiP4OCiiIf70h/lg7I2qpIK7oJ5gw23y3i  
IPh8a0FzYDSBYkwIHK/qP+nHezLwuw==  
=zNdY  
-----END PGP SIGNATURE-----