Turkey’s Contact Tracing Infrastructure From Security and Privacy Perspective

Öz

Contact tracing applications may lead to security and privacy concerns. Turkey’s contact tracing application (Hayat Eve Sığar, abbreviated as HES), which is introduced during COVID-19 pandemic, have not been covered yet for its security and privacy features. Comparison of HES with the existing cutting-edge contact tracing approaches could be used to analyse and determine the features of HES. Comparison indicated the undocumented security and privacy features of HES and revealed a set of vulnerabilities that could cause serious attacks. Mitigation techniques against vulnerabilities are proposed but current HES application includes serious attacks that could be performed by an insider or an outsider. The analysis emphasized to be considered in the design of similar applications that will emerge in the future.

Anahtar Kelimeler

• contact tracing
• security and privacy
• HES
• Hayat Eve Sığar

Güvenlik ve Mahremiyet Perspektifinden Türkiye’nin Temaslı Takip Uygulaması

Öz

Temas takip uygulamaları güvenlik ve kişisel bilgilerin kötüye kullanımı endişelerine yol açabilir. Türkiye'nin COVID-19 pandemisi sırasında kullanıma sunduğu temas takip uygulaması Hayat Eve Sığar (kısaltılmış hâli ile HES), güvenlik ve kişisel bilgilerin gizliliği gözetilerek henüz ele alınmamıştır. HES'in özellikleri kamuya duyurulmadığından bunların belirlenmesi için var olan temas takip yaklaşımları ile HES karşılaştırılarak uygulamanın çözümlenmesine çalışılmıştır. Bu karşılaştırma, HES'in güvenlik ve kişisel bilgilerin kötüye kullanılabilirliği açılarından özelliklerini göstermiş böylece HES'in dikkate alınması gereken açıklarını da ortaya çıkarmıştır. Bu çalışmada, HES'in güvenlik açıklarını azaltabilecek çözüm ve teknikler önerilmiştir. Bununla birlikte, kullanımdaki son HES uygulamasının tasarımından kaynaklı veri yetkilisinden ya da çevreden kaynaklanabilecek ihlaller içermektedir. Bu çözümleme ile önümüzdeki yıllarda ortaya çıkacak benzer uygulamaların tasarımında dikkat edilmesi gereken konulara dikkat çekilmiştir.

Anahtar Kelimeler

• temaslı takip
• güvenlik ve mahremiyet
• HES
• Hayat Eve Sığar

Kaynakça

1. [1] H. Wen, Q. Zhao, Z. Lin, D. Xuan, and N. Shroff, “A study of the privacy of covid-19 contact tracing apps,” International Conference on Security and Privacy in Communication Systems, 297–317, (2020).
2. [2] Çakan, “Salgın hastalıkların yayılmasında yüksek riskli bireylerin dikkate alındığı bir matematiksel modelin analizi,” Politeknik Dergisi, 24: 1205–1211, (2021).
3. [3] Z. Yilmazoglu and A. Demircan, “Covid-19 sürecinde mevcut hastanelerde mekanik sistemlerinde alınması gereken Önlemler ve tecrübeler,” Politeknik Dergisi, 26: 93–106, (2023).
4. [4] M. Zastrow, “South Korea is reporting intimate details of COVID-19 cases: has it helped?,” Nature, (2020).
5. [5] C. Lefévre, “Optimal control of a birth and death epidemic process,” Operations Research, 29: 971–982, (1981).
6. [6] Q. Tang, “Privacy-preserving contact tracing: current solutions and open questions,” Cryptology ePrint Archive, (2020).
7. [7] S. Vaudenay, “Analysis of DP3T.” Cryptology ePrint Archive, (2020).
8. [8] T. Martin, G. Karopoulos, J. L. Hernández-Ramos, G. Kambourakis, and I. N. Fovino, “Demystifying COVID-19 Digital Contact Tracing: A Survey on Frameworks and Mobile Apps,” Wireless Communications and Mobile Computing, 2020: 1–29, (2020).

9. [9] M. Shukla, R. M. A, S. Lodha, G. Shroff, and R. Raskar, “Privacy guidelines for contact tracing applications.” arXiv preprint arXiv:2004.13328, (2020).
10. [10] J. Bay, J. Kek, A. Tan, C. S. Hau, L. Yongquan, J. Tan, and T. A. Quy, “BlueTrace: A privacy-preserving protocol for communitydriven contact tracing across borders.” Government Technology Agency-Singapure, Tech. Rep 18, (2020).
11. [11] J. Chan, D. Foster, S. Gollakota, E. Horvitz, J. Jaeger, S. Kakade, T. Kohno, J. Langford, J. Larson, P. Sharma, et al., “PACT: Privacy Sensitive Protocols and Mechanisms for Mobile Contact Tracing.” arXiv preprint arXiv:2004.03544, (2020).
12. [12] R. Sun, W. Wang, M. Xue, G. Tyson, S. Camtepe, and D. Ranasinghe, “An Empirical Assessment of Global COVID-19 Contact Tracing Applications.” 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), (2021).
13. [13] N. Ahmed, R. A. Michelin, W. Xue, S. Ruj, R. Malaney, S. S. Kanhere, A. Seneviratne, W. Hu, H. Janicke, and S. K. Jha, “A survey of covid-19 contact tracing apps,” IEEE access, 8: 134577–134601, (2020).
14. [14] S. Vaudenay, “Centralized or Decentralized? The Contact Tracing Dilemma.” Cryptology ePrint Archive, (2020).
15. [15] Fraunhofer AISEC, “Pandemic Contact Tracing Apps: DP-3T, PEPPPT NTK, and ROBERT from a Privacy Perspective.” Cryptology ePrint Archive, (2020).
16. [16] J. Li and X. Guo, “Global deployment mappings and challenges of contacttracing apps for covid-19,” Available at SSRN 3609516, (2020).
17. [17] J. Bell, D. Butler, C. Hicks, and J. Crowcroft, “TraceSecure: Towards Privacy Preserving Contact Tracing.” arXiv preprint arXiv:2004.04059, (2020).
18. [18] M. Veale, “Analysis of the nhsx contact tracing app ‘isle of wight’data protection impact assessment.” (2020).
19. [19] H. Cho, D. Ippolito, and Y. W. Yu, “Contact Tracing Mobile Apps for COVID-19: Privacy Considerations and Related Trade-offs.”arXiv preprint arXiv:2003.11511, (2020).
20. [20] D. J. Leith and S. Farrell, “Coronavirus Contact Tracing App Privacy: What Data Is Shared by the Singapore OpenTrace App?,” Security and Privacy in Communication Networks: 16th EAI International Conference , 80–96, (2020).
21. [21] L. Baumgärtner, A. Dmitrienko, B. Freisleben, A. Gruler, J. Höchst, J. Kühlberg, M. Mezini, R. Mitev, M. Miettinen, A. Muhamedagic, et al., “Mind the GAP: Security & privacy risks of contact tracing apps,” IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications, 458–467, (2020).
22. [22] P. H. O’Neill, T. Ryan-Mosley, and B. Johnson, “A flood of coronavirus apps are tracking us. Now it’s time to keep track of them..” https://www.technologyreview.com/2020/05/07/1000961/ launching-mittr-covid-tracing-tracker, (2020).
23. [23] C. Zuo, H. Wen, Z. Lin, and Y. Zhang, “Automatic fingerprinting of vulnerable ble iot devices with static uuids from mobile apps,” Conference on Computer and Communications Security, 1469–1483, (2019).
24. [24] W. Beskorovajnov, F. Dörre, G. Hartung, A. Koch, J. Müller-Quade, and T. Strufe, “ConTra Corona: Contact Tracing against the Coronavirus by Bridging the Centralized–Decentralized Divide for Stronger Privacy,” Advances in Cryptology–ASIACRYPT 2021: 27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, (2021).
25. [25] S. Vaudenay, “Video surveillance + DP-3T ISSUE #121.” https://web.archive.org/web/20220323142550/https://github.com/DP-3T/documents/issues/121.
26. [26] Republic of Turkey Ministry Of Health, “Hes.” https://web.archive. org/web/20220323143858/https://hayatevesigar.saglik.gov.tr/ gizlilik_politikasi_eng_index_V2.html.
27. [27] M. P. Jhanwar and S. Sarkar, “PHyCT: Privacy preserving Hybrid Contact Tracing.” Cryptology ePrint Archive, (2020).
28. [28] O. Seiskari, “corona-sniffer: Contact Tracing BLE sniffer PoC.” https://web.archive.org/web/20220323143722/https://github. com/oseiskar/corona-sniffer.
29. [29] A. K. Mishra, A. C. Viana, and N. Achir, “SimBle: Generating privacy preserving real-world BLE traces with ground truth.” arXiv preprint arXiv:2101.11728, (2021).
30. [30] G. Kambourakis, “Anonymity and closely related terms in the cyberspace: An analysis by example,” Journal of information security and applications, 19: 2–17, (2014).
31. [31] I. Ozcelik, “Capen: Cryptographic accumulator based privacy preserving exposure notification,” 9th International Symposium on Digital Forensics and Security, 1–6, (2021).
32. [32] F. Brandt, “Efficient cryptographic protocol design based on distributed el gamal encryption,” International Conference on Information Security and Cryptology, 32–47, (2005).
33. [33] K. Pietrzak, “Delayed authentication: Preventing replay and relay attacks in private contact tracing,” International Conference on Cryptology, India, 3–15, (2020).
34. [34] “Hamagen, israel’s ministry of health’s covid-19 exposure prevention app..” https://web.archive.org/web/20230323113357/https:// github.com/MohGovIL/hamagen-react-native, (2020).
35. [35] C. Castelluccia, N. Bielova, A. Boutet, M. Cunche, C. Lauradoux, D. L. Métayer, and V. Roca, “Desire: A third way for a european exposure notification system leveraging the best of centralized and decentralized systems,” arXiv preprint arXiv:2008.01621, (2020).
36. [36] H. Xu, L. Zhang, O. Onireti, Y. Fang, W. J. Buchanan, and M. A. Imran, “BeepTrace: Blockchain-Enabled Privacy-Preserving Contact Tracing for COVID-19 Pandemic and Beyond,” IEEE Internet of Things Journal, 8: 3915–3929, (2020).