Contact Tracing and the Security of Things
The spread of Sars-Cov-2 keeps everyone on their toes. Given the emotional state after weeks and months of physical distancing (which we recommend; social distancing has been the norm for decades). We have closed our office in March and heavily rely on telecommunication. Fortunately we did not need to reinvent the Internet. Many of you have probably done the same. We hope that you manage to stay healthy until things can get back to “normal”. Speaking of communication and normality, there are some aspects of the current situation we like to point out.
Every security conference features presentations shedding light on important tools, libraries, applications, or protocols people rely on. Humans like to communicate. The degree varies, but essentially few can do without talking, writing, hearing, or seeing stuff (i.e. messages). This is even more true for companies, governments, health care, the military, and other organisations. The spread of Covid-19 has sparked a massive interest in all things tele, remote, and networked. Suddenly the meetings need to be virtual. Applications and infrastructure for audio/video conferences and screen sharing has existed before. You have a long list of companies that offer services in this area. Then there is WebRTC (Web Real-Time Communication), an open standard for real-time communication defining a set of application programming interfaces (APIs). Additionally we have a plethora of messengers, communications systems for gamers, and web platforms integrating their share of communication. Not surprisingly the rush on all of these solutions has sparked interest in the security. A few months ago we were fairly confident that a private meeting wouldn’t leave the room. Now the room is gone. What does this mean?
First of all it means that not every platform held its promises. Getting end-to-end encryption right for a group chat is hard. Doing the same for real-time communication is even harder. Signalling is the next problem. How do you connect all participants? How do you make sure that only the right people are „in the room“? There are some answers to these problems, but a fair share of the conference applications suffer from a bad security design, badly maintained code, or other issues.
Secondly, the Crypto Wars come back to haunt us. The Signal developers pointed out the dangers of the US EARN IT bill. Securing communication is under attack by laws making protection impossible. The EARN IT bill is not the only example. China, Russia, Turkey, and Australia have banned end-to-end encryption. UK has similar laws. It’s not a good idea to turn the clock back in time with regards to secure communication.
Lastly, there is talk about contact tracing to get things faster to “normal” again. Of course, „There’s an app for that!“ Ross Anderson thinks differently, so we recommend his article about how this works in the real world.
Well, time for the good news. The calls for paper for DeepSec 2020 and DeepINTEL 2020 are still open! If you have some time and quiet to think about your research or your ongoing projects, let us know! We already got some submissions. Current reviews look good, so we might publish the first trainings for November next week! Looking forward to hear from you! Stay healthy!