Contact Tracing Apps (CTAs) have been developed to contain the coronavirus disease 19 (COVID-19) spread. By design, such apps invade their users' privacy by recording data about their health, contacts, and partially location. Many CTAs frequently broadcast pseudorandom numbers via Bluetooth to detect encounters. These numbers are changed regularly to prevent individual smartphones from being trivially trackable. However, the effectiveness of this procedure has been little studied. We measured real smartphones and observed that the German Corona-Warn-App (CWA) exhibits a device-specific latency between two subsequent broadcasts. These timing differences provide a potential attack vector for fingerprinting smartphones by passively recording Bluetooth messages. This could conceivably lead to the tracking of users' trajectories and, ultimately, the re-identification of users.

翻译：接触追踪应用（Contact Tracing Apps, CTAs）已被开发用于遏制2019冠状病毒病（COVID-19）的传播。在设计上，此类应用通过记录用户的健康信息、接触情况及部分位置数据，侵害了用户的隐私。许多CTAs通过蓝牙频繁广播伪随机数来检测相遇情况，这些数字会定期变更，以防止个体智能手机被轻易追踪。然而，该流程的有效性尚未得到充分研究。我们对真实智能手机进行了测量，观察到德国Corona-Warn-App（CWA）在两次连续广播之间展现出设备特定的延迟。这些时序差异为通过被动记录蓝牙消息来对智能手机进行指纹识别提供了潜在攻击向量，进而可能导致用户轨迹被追踪，甚至最终实现用户的重识别。