GAEN, an API Google and Apple co-developed to curb the spread of COVID-19, has been running like clockwork since May. As a matter of fact, it seems to be working too well.
Which is one way to reflect on the cybersecurity scrutiny it’s been been attracting as of late. In fact, things already escalated to the point that GAEN is considered a legitimate threat to democratic processes. That label is equally applicable to both the U.S. and most other parts of the world.
Which is hardly surprising seeing how the API has so far been used for launching dozens of contact-tracing apps.
Yet none of that explains how GAEN – short for Google-Apple Exposure Notification – supposedly threatens democratic elections.
That particular issue was best framed by three New York-based scholars specializing in physics and cryptography. In an in-depth scientific analysis published this week, the said trio explained how GAEN-powered notifications could easily be abused, i.e. faked.
Since the API shares no personally identifiable information, it lives and dies by the procedurally generated and randomly exchanged Bluetooth keys it uses for identifying confirmed cases in one’s vicinity. Yeah, about that…
GAEN deemed a threat because of notifications
It turns out that obtaining a legitimate Temporary Exposure Key (TEK) through illegitimate means is far from impossible, the analysis explains. An attacker could consequently dispatch immeasurable volume of false exposure detection alerts. Contents aside, a potential hacker’s ability to time this false-flag operation is even more concerning. Not to mention completely unavoidable: you can always stop your GAEN-powered contact-tracing app from sharing your anonymous data.
Naturally, vice versa also applies, giving a potential attacker full control over the timing of the false notification pings. Based on that train of thought it’s easy to imagine a setup aimed at scaring unsuspecting voters away from polling places.
It’s nowhere near being an active election threat
Which isn’t to say large-scale voter-suppression is high on the list of risks associated with GAEN. In spite of its highly demonstrable nature, no one’s losing sleep over attempts to solve this attack vector. Because the likelihood of it leading to an actual malicious attempt at subverting the November 3rd elections are pretty slim.
Just like you wouldn’t eat soup with a fork, you wouldn’t attempt meaningful voter suppression through GAEN. “Meaningful” being “making a difference in the end.” If we’re simply talking doing enough to invite felony charges, than yes, GAEN alone would do. That about sums up the early peer review efforts concerning this analysis.
Ironically, the easiest way to mitigate this theoretical election risk would be doing away with the API’s anonimity. Because if any third party was privy to the aforementioned Bluetooth key exchanges, it’d be able to verify the legitimacy of any such communications. Of course, a shift to a blockchain structure would do the same while preserving user anonimity, though it’s far from the easiest thing to code. As expected, Google and Apple prioritized speed of deployment above everything else while developing GAEN.
Again, none of this precludes continued usage of GAEN and similar APIs. Because there’s still no end in sight to any vaccine development efforts. Which places religious contact tracing near the top of anyone’s list of best pandemic practices. Besides social distancing, itself, of course.