July 30 2020 - Today a patch in the backend of the SwissCovid app was released on GitHub (https://github.com/DP-3T/dp3t-sdk-backend/security/advisories/GHSA-5m5q-3qw2-3xf3). It fixes a problem with the signature verification in the JSON Web Token (JWT alg: none). The backend of the SwissCovid app runs on this patch-level since Monday July 27 2020.
July 17 2020 - The technical team at BIT/OFIT has resolved a security issue in the SwissCovid app today. This security issue has led to an early exposure of keys.
- All "future keys" have been purged from the database and are no longer available for download and processing by mobile phones. The purge was completed Friday 17.7 at 14:55.
- The root cause of the problem has been identified in an internal script. The daily 10 "fake keys have also been disabled.
- A patch to dp3t-backend on github will be issued to either permanently disable the "fake key" flag or ensure that it only generates keys in the past.
We want to express our thanks to Paul-Oliver Dehaye for his responsible disclosure.
The final report of the public security test can be found here:
CSIRT FOITT and GovCERT.ch have tested all components of the Swiss Proximity Tracing System for several weeks. A Risk Estimation and Recommendations can be found here:
The following appendix gives an overview of the vulnerabilities CSIRT FOITT and GovCERT.ch have found and passed to the project for fixing.
During the public security test, various testers mentioned that the risk of so called replay attacks exists and could pose a serious threat to the application. We would like to shed a bit light on these types of attacks in order to show the actual threat that may originate from this type of attack.
Since report [INR-4434] contains a bundle of topics, we have compiled them and assessed them separately. You can find our summary here:
Last modification 30.07.2020