CVE-2020-26230
📋 TL;DR
This vulnerability in Spain's Radar COVID app allowed network observers to identify users who tested positive for COVID-19 by monitoring app traffic. Only positive users uploaded data to servers, creating a unique traffic pattern that could be detected by ISPs, mobile operators, or anyone on the same network. The vulnerability also enabled potential de-anonymization by correlating this traffic with other identifiable user information.
💻 Affected Systems
- Radar COVID (Spain's official COVID-19 exposure notification app)
📦 What is this software?
Radar Covid Backend Dp3t Server by Radarcovid
Radarcovid by Radarcovid
Radarcovid by Radarcovid
Radarcovid by Radarcovid
Radarcovid by Radarcovid
⚠️ Risk & Real-World Impact
Worst Case
Attackers identify COVID-positive individuals and link them to personal identities, enabling targeted harassment, discrimination, or social engineering attacks based on health status.
Likely Case
Network operators or public WiFi providers detect which users are COVID-positive, potentially violating privacy but without personal identification.
If Mitigated
With dummy traffic implementation, all users generate similar traffic patterns, making positive users indistinguishable from others.
🎯 Exploit Status
Exploitation requires network monitoring capability but no authentication or special tools. Any on-path observer can detect the traffic pattern difference between positive and negative users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: iOS: 1.0.8 (uniform distribution) or 1.1.0 (exponential distribution), Android: 1.0.7 (uniform distribution) or 1.1.0 (exponential distribution), Backend: 1.1.2-RELEASE
Vendor Advisory: https://github.com/RadarCOVID/radar-covid-android/security/advisories
Restart Required: Yes
Instructions:
1. Update Radar COVID app from official app stores (Apple App Store or Google Play Store). 2. Ensure app restarts after update. 3. Verify backend systems are updated to version 1.1.2-RELEASE or later.
🔧 Temporary Workarounds
Disable app network usage
androidPrevent the app from communicating with servers to avoid traffic pattern detection
Settings > Apps > Radar COVID > Mobile data & Wi-Fi > Disable background data
Use VPN with encrypted traffic
allRoute all app traffic through a trusted VPN to obscure traffic patterns from local network observers
🧯 If You Can't Patch
- Uninstall the vulnerable app version and use alternative exposure notification methods
- Only use the app on trusted, private networks and avoid public WiFi or cellular data
🔍 How to Verify
Check if Vulnerable:
Check app version in settings: iOS: Settings > Radar COVID > Version; Android: Settings > Apps > Radar COVID > App info > VersionCheck Version:
iOS: No command line; check in app settings. Android: adb shell dumpsys package es.gob.radarcovid | grep versionNameVerify Fix Applied:
Verify app version is at least iOS 1.0.8/1.1.0 or Android 1.0.7/1.1.0. Monitor network traffic to confirm both positive and negative users generate similar traffic patterns.📡 Detection & Monitoring
Log Indicators:
- Unusual traffic patterns where only specific users upload TEK data to Radar COVID servers
- Correlation between user identity logs and Radar COVID server upload timestamps
Network Indicators:
- HTTP/HTTPS traffic to Radar COVID backend servers from mobile devices
- Pattern where only certain devices upload data while others don't
- Traffic analysis showing identifiable upload patterns
SIEM Query:
source="network_traffic" dest_ip="radarcovid_backend_servers" | stats count by src_ip | where count > threshold🔗 References
- https://github.com/DP-3T/documents/blob/master/DP3T%20-%20Best%20Practices%20for%20Operation%20Security%20in%20Proximity%20Tracing.pdf
- https://github.com/RadarCOVID/radar-covid-android/commit/09d00e5ede801ca400d45c7feda5a99c34e4176c
- https://github.com/RadarCOVID/radar-covid-android/commit/53252773ffa81e116deabcbbea3bac96872b9888
- https://github.com/RadarCOVID/radar-covid-android/commit/7fdc7debeb8a37faa77b53d9f9a1b4bbcff445ce
- https://github.com/RadarCOVID/radar-covid-android/commit/8e5d14ec60e0c1847a4733556cf34d232c27102c
- https://github.com/RadarCOVID/radar-covid-android/commit/91dcfff6252055637bc9ee0c46b8f003d64a16b9
- https://github.com/RadarCOVID/radar-covid-android/commit/9627f4d69705bca68e550eefd3df1b9abe90b215
- https://github.com/RadarCOVID/radar-covid-android/commit/ea0c4cc837f72f58e2b5df1ecf0899743ec3cdf8
- https://github.com/RadarCOVID/radar-covid-backend-dp3t-server/commit/6d30c92cc8fcbde3ded7e9518853ef278080344d
- https://github.com/RadarCOVID/radar-covid-backend-dp3t-server/commit/c37f81636250892670750e3989139fd76d4beffe
- https://github.com/RadarCOVID/radar-covid-backend-dp3t-server/security/advisories/GHSA-w7jx-37x3-w2jx
- https://github.com/RadarCOVID/radar-covid-ios/commit/2d1505d4858642995ea09f02f23c953acaa65195
- https://github.com/DP-3T/documents/blob/master/DP3T%20-%20Best%20Practices%20for%20Operation%20Security%20in%20Proximity%20Tracing.pdf
- https://github.com/RadarCOVID/radar-covid-android/commit/09d00e5ede801ca400d45c7feda5a99c34e4176c
- https://github.com/RadarCOVID/radar-covid-android/commit/53252773ffa81e116deabcbbea3bac96872b9888
- https://github.com/RadarCOVID/radar-covid-android/commit/7fdc7debeb8a37faa77b53d9f9a1b4bbcff445ce
- https://github.com/RadarCOVID/radar-covid-android/commit/8e5d14ec60e0c1847a4733556cf34d232c27102c
- https://github.com/RadarCOVID/radar-covid-android/commit/91dcfff6252055637bc9ee0c46b8f003d64a16b9
- https://github.com/RadarCOVID/radar-covid-android/commit/9627f4d69705bca68e550eefd3df1b9abe90b215
- https://github.com/RadarCOVID/radar-covid-android/commit/ea0c4cc837f72f58e2b5df1ecf0899743ec3cdf8
- https://github.com/RadarCOVID/radar-covid-backend-dp3t-server/commit/6d30c92cc8fcbde3ded7e9518853ef278080344d
- https://github.com/RadarCOVID/radar-covid-backend-dp3t-server/commit/c37f81636250892670750e3989139fd76d4beffe
- https://github.com/RadarCOVID/radar-covid-backend-dp3t-server/security/advisories/GHSA-w7jx-37x3-w2jx
- https://github.com/RadarCOVID/radar-covid-ios/commit/2d1505d4858642995ea09f02f23c953acaa65195
