INTERNET OF THINGS AND SENSOR NETWORKS

IoTrace: A Flexible, Efficient, and

Privacy-Preserving IoT-Enabled
Architecture for Contact Tracing
Pietro Tedeschi, Spiridon Bakiras, and Roberto Di Pietro

Contact tracing promises to help

Abstract coronavirus, the user is notified to take precau-
tionary measures, such as testing and self-quar-
fight the spread of COVID-19 via
Contact tracing promises to help fight the antine. The most prominent approach to contact
early detection of possible con- spread of COVID-19 via an early detection of tracing is to have each mobile device broadcast
tagion events. To this end, most possible contagion events. To this end, most exist- pseudo-random beacons via its Bluetooth Low
ing solutions share the following architecture: Energy (BLE) interface. These beacons are then
existing solutions share the fol-
smartphones continuously broadcast random bea- received and recorded by other users within the
lowing architecture: smartphones cons that are intercepted by nearby devices and BLE transmission range. Alternatively, solutions
continuously broadcast random stored into their local contact logs. In this article, like Israel’s Hamagen [5] adopt the Global Nav-
we propose an IoT-enabled architecture for con- igation Satellite System (GNSS) for localization
beacons that are intercepted tact tracing that relaxes the smartphone-centric and proximity tracing.
by nearby devices and stored assumption, and provides a solution that enjoys A watershed difference in contact tracing
the following features: it reduces the overhead on applications lies in the reconciliation process,
into their local contact logs. The
the end user to the bare minimum — the mobile that is, the identification of “infected” beacons
authors propose an IoT-enabled device only broadcasts its beacons; it provides inside a user’s contact list that signal possible
architecture for contact tracing the user with a degree of privacy not achieved by contagion events. To one extreme, centralized
competing solutions — even in the most privacy solutions require all users to share their beacons
that relaxes the smartphone-cen- adverse scenario, the solution provides k-anonym- and/or contact lists with the health authorities,
tric assumption. ity; and it is flexible: the same architecture can who perform the reconciliation process and notify
be configured to support several models — rang- the exposed users. At the other extreme, decen-
ing from fully decentralized to fully centralized tralized solutions do not collect any information
ones — and the system parameters can be tuned from the mobile devices. Instead, when a user is
to support the tracing of several social interaction diagnosed as positive, the app releases the user’s
models. What is more, our proposal can also be beacons to the authorities, which are then dis-
adopted to tackle future human-proximity trans- tributed to all the other users in the system. As
missible diseases. Finally, we also highlight open such, the app is responsible for the reconciliation
issues and discuss a number of future research process by matching the released beacons against
directions at the intersection of IoT and contact the stored contact logs.
tracing. This generic contact tracing framework raises
some concerns about the usability of the solu-
Introduction tion, and opens up the Pandora’s box of privacy
One thing is clear about the COVID-19 pandemic and security issues. The cited dimensions, other
declared in March 2020: despite the release of than being critical on their own, could also thwart
a few vaccines, the fight against the virus could the widespread adoption of contact tracing, mak-
still last for years due to the required global mass ing it irrelevant in fighting the pandemic. Indeed,
production, untested efficacy at scale, expected Oxford researchers have calculated that to be
delays in distribution, and the very same virus’s effective, contact tracing apps must be actively
polymorphic capabilities. Indeed, the initial bat- used by at least 60 percent of the population [6].
tles gained against the virus have been later lost, To reach the above goal, a more usable and pri-
with the “second wave” ravaging the world as of vacy-preserving solution would have the potential
November 2020 [1]. to attract more active users, thus increasing the
The initial, dramatic spread of COVID-19 effectiveness of contact tracing.
prompted individual states and international In terms of usability, the main challenges are
organizations to implement drastic measures to related to the energy efficiency and computation-
“flatten the curve” of the pandemic [2, 3]. Digi- al cost of the contact tracing app. For example,
tal contact tracing is one of the most promising one of the common criticisms against existing
technological solutions, and its premise is quite applications is the diminished smartphone bat-
intuitive: leverage the user’s smartphone to keep tery life. While some energy is consumed on the
track of other users nearby (called contacts) [4]. periodic transmission of the device’s beacon, the
Then, if a contact has a positive diagnosis for the main factor behind battery drain is the continuous

Digital Object Identifier: The authors are with the Division of Information and Computing Technology, College of Science and Engineering,
10.1109/MCOM.001.2000729 Hamad Bin Khalifa University.

82 0163-6804/21/$25.00 © 2021 IEEE IEEE Communications Magazine • June 2021

TEDESCHI_LAYOUT.indd 82
Authorized licensed use limited to: Universiteit van Amsterdam. Downloaded on February 04,2023 at 12:46:27 UTC from IEEE Xplore. Restrictions apply. 6/17/21 12:51 PM
 scanning of the Bluetooth channel for beacons tests positive, his/her ephemeral IDs are transmit-
The authors introduce
transmitted by the surrounding devices. ted to the central authority. The IDs are generated
When it comes to privacy and security, the sci- with symmetric key protocols, such as HMAC- IoTrace, a contact tracing
entific community started debating the issue from SHA-256 and AES-128-CTR. Finally, the project is solution that relies on a
the very beginning [7]. The most recurrent threats completely open source.
are user de-identification and user tracking. In Apple/Google [11]. Similar to DP-3T, Apple distributed, flexible, and
particular, an eavesdropper can identify a user as and Google agreed on a decentralized protocol lightweight IoT-based infra-
positive to the disease by cross-referencing the for contact tracing based on BLE technology. The
structure. IoTrace imposes
“infected” beacons published by the authorities contact tracing logs do not contain any private
with the beacons acquired via eavesdropping. information, and ephemeral IDs are only stored minimal overhead on the
The same data may also allow an adversary to on the user’s device. From the cryptographic per- user’s smartphone, while
track the locations that a positively diagnosed spective, they adopt HMAC-SHA-256 and AES-
individual has visited. This is a clear violation of 128. Note that Apple/Google is not a complete providing strong privacy
the General Data Protection Regulation (GDPR) contact tracing solution; instead, the companies guarantees not available
laws in the EU and, in any case, is a serious threat released the exposure notification application pro-
in competing proposals.
that could hinder the adoption of the contact gramming interface (API) as open source to allow
tracing application.} public health authorities to develop their own Specifically, IoTrace relaxes
Contributions. Motivated by the above obser- mobile applications. For example, Immuni [13] is the requirement for
vations, we introduce IoTrace, a contact tracing the Italian state-sponsored official contact tracing
solution that relies on a distributed, flexible, and app that leverages the Apple/Google framework. smartphones to receive the
lightweight Internet of Things (IoT)-based infra- Hamagen [5]. Hamagen was developed by beacons issued by other
structure. IoTrace imposes minimal overhead on Israel’s Ministry of Health to monitor the COVID-
devices in their proximity.
the user’s smartphone, while providing strong 19 pandemic. It allows the identification of pos-
privacy guarantees not available in compet- itive patients and people who came in contact
ing proposals. Specifically, IoTrace relaxes the with them. Hamagen continuously monitors and
requirement for smartphones to receive the bea- logs the user’s GPS coordinates on the device
cons issued by other devices in their proximity. (requiring no interaction with other devices). After
This translates into considerable savings in energy a user tests positive, and if he/she gives prior con-
consumption and computational/storage costs. sent, their location data is transmitted to the Min-
Further advantages are that the IoT infrastructure istry of Health. All devices periodically download
is fully distributed, heterogeneous, and pervasive. the up-to-date location data and compare them
Distribution and heterogeneity help security [8], against their own GPS history logs.
while pervasiveness would ensure efficient and PEPP-PT [12]. The Pan-European Privacy-Pre-
accurate contact tracing. The reconciliation mech- serving Proximity Tracing protocol adopts BLE to
anism is fully tunable and could range from a discover and store locally the ephemeral IDs of
completely decentralized solution to a centralized devices that are in proximity. Similar to BlueTrace,
one. it uses the hybrid architecture by having the
health authorities generate the users’ beacons.
Related Work As such, a centralized server collects and pro-
Several contact tracing applications have been cesses the contact logs from infected users, and
developed in the last few months. In the following performs the reconciliation process in a central-
paragraphs, we provide a brief introduction to ized manner. The main cryptographic algorithm
the state-of-the-art approaches and also present a they employ is AES. This approach also adopts the
quantitative comparison in terms of user privacy open source paradigm.
and performance. Solutions Comparison. Table 1 presents a
BlueTrace [9]. BlueTrace is an open source quantitative comparison of these state-of-the-art
protocol that is utilized in Singapore’s TraceTo- protocols for a variety of metrics, such as privacy
gether app. It adopts BLE technology, where and operational cost. In our analysis, we consid-
devices exchange their ephemeral IDs (i.e., bea- er the health authorities as trusted entities. Oth-
cons) via broadcast and log all encounters in erwise, centralized and hybrid protocols cannot
their history logs. When a user is diagnosed as offer any meaningful level of privacy. In terms of
positive, his/her history logs are sent to a cen- health status privacy, decentralized protocols fail
tral authority using a secure connection. Even to protect the identity of the infected users, which
though BlueTrace leverages the decentralized is a violation of numerous health privacy acts,
architecture, the ephemeral IDs are generated by such as HIPAA and GDPR. Specifically, DP-3T
the central authority and distributed to the indi- and Apple/Google disclose all the ephemeral IDs
vidual devices. As such, the reconciliation func- that belong to the infected users, which allows an
tion and exposure notification are performed at adversary to infer with certainty whether a known
a centralized location; BlueTrace is considered a ID (i.e., person) has contracted the virus. As for
hybrid solution. The main cryptographic primitive hybrid solutions (BlueTrace and PEPP-PT), they
involved in the computation of the ephemeral IDs only reveal the user’s contact logs and are thus
is AES-256-GCM. more privacy-preserving. However, the ephemer-
DP-3T [10]. A large consortium of Europe- al ID of an infected individual might be inferred
an researchers, comprising numerous universi- from its absence within a cluster of IDs with the
ties and institutions, proposed the Decentralized same time/location tags. Hamagen is a GPS-
Privacy-Preserving Proximity Tracing protocol based solution, so it reveals the infected user’s
that leverages BLE technology to track and log entire location history. While the identity of the
encounters with other users. The contact logs are user may not be immediately clear, background
never transmitted to a central authority, but are knowledge can be applied to link the published
stored only on the client’s device. When a user trajectories to a specific individual.

IEEE Communications Magazine • June 2021 83

TEDESCHI_LAYOUT.indd 83
Authorized licensed use limited to: Universiteit van Amsterdam. Downloaded on February 04,2023 at 12:46:27 UTC from IEEE Xplore. Restrictions apply. 6/17/21 12:51 PM
 Features BlueTrace [9] DP–3T [10] Apple/Google [11] Hamagen [5] PEPP–PT [12] IoTrace

Wireless technology Bluetooth Bluetooth Bluetooth GPS Bluetooth Bluetooth

Open source Yes Yes Yes Yes Yes Yes

Architecture (C/D/H) H D D D H Cp Dn

RF energy consumption (mJ/min) 1.23  103  1.21  103  1.21  103  2.19  103  1.21  103  3.2760

Security level (crypto) ««« ««« ««« N/A ««« «««

Health status privacy « – – « « «« «««

Location privacy (w.r.t. positive) – – – – – – «««

Location privacy (w.r.t. negative) ««« ««« ««« ««« ««« «««

Device storage requirements (B)  n  140  n  24  n  16  l  10  n  30 0

Crypto computational cost (ms) 0  24.8973  30.2039 0 0  23.3652

Broadcast TX overhead (B) f  140 f  24 f  31 0 f  30 f  16

TABLE 1. Comparison of state–of–the–art representative solutions. n: contact list size; l : number of stored locations, f: TX frequency, None: –, Low: «, Medium: ««, High: «««. For IoTrace, some
metrics include two ratings that correspond to the basic: p and privacy–enhanced: n versions.

Regarding location privacy, both the decentral- ated through a laptop/smartphone running an
ized and hybrid protocols offer excellent privacy SDR-compatible software tool. Additionally, the
to users who never test positive. This is due to attacker tags every beacon with a timestamp and
the unidirectional flow of information: the devices the geographic location where it was recorded.
only download data from the central authority’s As a result, the adversary has a global view of all
server without ever uploading any data of their communications and can pinpoint every beacon
own. However, a user who tests positive has to to a unique point in space and time, although
disclose some relevant information to the cen- the beacon cannot be linked to a specific user.
tral server. Usually, the cited disclosure involves We also consider a more involved eavesdropping
publishing ephemeral IDs, contact logs, or GPS adversary that is able to get close to a target vic-
coordinates, unfortunately leading to a complete tim in order to record beacons that belong to the
compromise of the geographic locations that the victim with a very high probability (i.e., there are
user has visited in the near past, among other no other devices in the vicinity, or the adversary
things. uses a directional antenna). Such an adversary
To assess the performance of the discussed is only interested in identifying beacons that are
solutions in a quantitative manner, we consid- associated with one or more unique individuals.
ered the Bluetooth SoC nRF51822 and GPS SiP Finally, we embrace a standard assumption in
nRF9160 (for Hamagen) hardware platforms. We the literature: the adversary runs in polynomial
first estimated the energy consumption related time and is unable to break the cryptographic
to the RF operations (TX and RX) using the plat- protocols (e.g., symmetric encryption and hash-
forms’ operational specifications, such as voltage ing) that generate the pseudo-random beacons.
and current consumption. For the BLE-based pro- Based on the aforementioned adversarial model,
tocols, we assumed a beacon broadcast interval we consider two types of privacy attacks against
of 500 ms and a duty cycle of 50 percent for the contact tracing system:
the scanning function. The energy consumption • Location privacy attack: In this attack, the
of each approach is computed as the integral adversary’s objective is to track the move-
of power over time. For Hamagen, we assumed ments of one or more users through the col-
continuous scanning in low-power mode. As pre- lected beacons.
sented in Table 1, IoTrace is orders of magnitude • Health status privacy attack: Here, the
more efficient than the competing approaches, objective is to correctly infer whether one
because it does not need to scan the Bluetooth or more known users have contracted the
channel for broadcasted beacons. As per the COVID-19 virus.
crypto operations for generating the ephemeral
IDs, they are very cheap for all protocols, neces- Edge Contact Tracing with IoT Devices
sitating  30 ms to generate the IDs for an entire The novelty of IoTrace lies in the deployment of
day (on a Cortex M0 CPU). However, IoTrace IoT devices that support the contact tracing tasks
is considerably more lightweight, as it does not at the network’s edge, complementing the indi-
need to store and actively update a contact list. vidual mobile devices. In what follows, we intro-
For the same reason, IoTrace sports the lowest duce the IoTrace architecture, and describe the
storage requirement. contact tracing protocol and the corresponding
message flow in the context of a centralized archi-
Threat Model tecture. We discuss an alternative fully distributed
In this work, we consider a powerful eavesdrop- approach that also provides a high level of priva-
ping adversary that is capable of collecting all cy with the use of public key cryptography.
beacons transmitted by users. The adversary is
equipped with a powerful antenna, which can System Architecture
be either a regular Bluetooth handheld device The entities involved in the IoTrace architecture
or a software defined radio (SDR) that is oper- are the following:

84 IEEE Communications Magazine • June 2021

TEDESCHI_LAYOUT.indd 84
Authorized licensed use limited to: Universiteit van Amsterdam. Downloaded on February 04,2023 at 12:46:27 UTC from IEEE Xplore. Restrictions apply. 6/17/21 12:51 PM
 • User. A user carrying a smartphone device
that runs our contact tracing app. The app
simply transmits BLE beacons (pseudo-ran-
dom ephemeral IDs) that are received by
the deployed IoT devices. The transmitted
beacons are also stored locally on the device
for verifying proximity to other users. Unlike
existing approaches, the app only operates
in transmit mode; that is, it does not collect
BLE beacons from other devices.
• Totem. This is an IoT smart device equipped
with a BLE transceiver that collects the
beacons transmitted from users’ devices.
We also assume that the totem maintains
a secure intranet connection to the central
authority, where it forwards all the received
beacons in a fashion that could span from
batch mode to real-time. In our terminology, (a)
we call these beacons negative: they belong
to users who have not tested positive. From
a practical perspective, a totem could be a
simple low-end device like a Raspberry Pi.
• Hospital. This is a medical center that tests
users who may possibly have a COVID-19
infection. If a user tests positive, the health
professionals are permitted to access his/her
mobile device and forward the stored bea-
cons to the central authority. We call these
beacons positive.
• Central authority. This is a trusted party,
whose role is to collect the positive and
negative beacons sent by the correspond-
ing hospitals and totems. It is assumed to be
always online and ready to provide an updat-
ed list of beacons that belong to users who
had close contact with an infected user. In a
real scenario, this role can be played by the
Ministry of Health.
(b)
As shown in Fig. 1, the proposed architecture
can be adopted in open spaces like parks, or in
closed spaces like shopping malls and offices.

protocol MessAge floW

IoTrace’s protocol is illustrated in Fig. 2 and sum-
marized below:
• Let us assume a generic time slot ti. At the
beginning of the time slot, the transmitting
user (Alice) generates a pseudo-random BLE
beacon according to some cryptographic
primitive, such as AES-128 encryption.
• After collecting all beacons within time slot
t i, the totem forwards them to the central
authority. The authority stores each beacon
as a tuple <totem-ID, time-slot, beacon> on
its long-term memory.
• Let us assume Alice is diagnosed as positive
at an authorized hospital. An authorized
health official will access Alice’s mobile appli-
cation to send her recent beacons (e.g., from
the last two weeks) to the central authority.
• Consider one of Alice’s positive beacons that
was transmitted at time slot . The central
authority will identify all the negative bea-
cons within time slots  ±  (at that partic-
ular totem), where  is a time window that
depends on the broadcast frequency of the (c)
beacons. The list of all negative and positive
beacons is published online. FIGURE 1. IoTrace infrastructure in different environments: open and closed spaces. A totem is represented by the
• Finally, Bob downloads from the central Bluetooth icon. BLE beacons are transmitted from the smartphones to the IoT totems: a) open space: park; b)
authority the list published at the previous closed space: shopping mall; c) closed space: office.

IEEE Communications Magazine • June 2021 85

TEDESCHI_LAYOUT.indd 85
Authorized licensed use limited to: Universiteit van Amsterdam. Downloaded on February 04,2023 at 12:46:27 UTC from IEEE Xplore. Restrictions apply. 6/17/21 12:51 PM
 metric key with the totem using the locally stored
certificate, and then send their beacons encrypted
with that key. The totem locally decrypts the bea-
cons, and the protocol continues as described.
ALICE BOB TOTEM j HOSPITAL AUTHORITY Consequently, when the positive/negative bea-
ti BEACON i TOTEM j ,t i ,BEACON i cons are published by the central authority, an
ti
ti+1,BEACON TOTEM 0 ,ti+1, BEACON i+1 eavesdropper cannot link them to a particular
ti+1 i+1
totem and time slot. Overall, this latter solution is
ti BEACON i very flexible, allowing individual users to trade off
<TOTEM j ,ti
BEACONi >
more privacy with higher computing cost.
ü
BEACON i ,i+1, t i,i+1
chAllenges And the roAd AheAd
BEACONi,i+1, t i,i+1 Contact tracing is, in essence, a surveillance-type
application. As such, the security and privacy of
Potential Contagion Risk the entire system are of paramount importance. In
the following sections, we describe the challenges
that must be addressed to make edge contact
FIGURE 2. Sequence diagram of the IoTrace protocol. The authority marks Alice as infected by reporting an alert of tracing a secure and privacy-preserving solution.
Potential Contagion Risk to Bob.
securIty consIderAtIons
step and checks whether his own beacons Edge Security. In the proposed architecture, an
are on the list. If there is a match, and it is IoT device (totem) represents the edge compo-
sustained for an amount of time sufficient to nent between the mobile devices and the hospi-
declare a potential contagion risk (set by the tal/authority. Hence, a research direction relevant
health authorities), Bob is notified by the app to our solution, but also of general interest in
of this possibility. the IoT domain, arises from the need to reduce
The data flow that summarizes the above the required computations, for instance, adopt-
described operations is depicted in Fig. 3. ing lightweight cryptographic protocols to meet
Compared to previous approaches in the lit- the intended security and privacy goals. The most
erature, this basic version of IoTrace already pro- obvious concern with regard to the security of
vides better protection of the users’ health status the proposed architecture is the exposure of the
privacy, since both the positive and negative bea- totems to physical attacks due to their being unat-
cons are disclosed by the central authority. As a tended. As a result, no sensitive information, such
result, IoTrace provides k-anonymity [14] in terms as user beacons or private keys, should be stored
of health status privacy. That is, if k beacons are in plaintext format. To solve the cited issue, data
published on behalf of a single totem, each bea- at rest could be encrypted with the public key
con has a 1/k chance of being the positive one. of the central authority. Furthermore, the totem
As per the location privacy guarantees, they are should utilize a secure enclave to perform the
identical to existing decentralized solutions, such necessary cryptographic operations, and all bea-
as DP-3T and Apple/Google. However, IoTrace cons (even when encrypted, as suggested above)
has a clear advantage in terms of operational cost should be erased as soon as they are received
for mobile devices. by the trusted authority. For the case of the fully
distributed architecture where the data are stored
A prIvAcy-enhAnced solutIon locally at the totems, additional measures should
We now show how to significantly enhance the be implemented to harden their security.
privacy under IoTrace, while leveraging the same Replay and Relay Attacks. These are active
architecture. The first improvement is related to attacks where the adversary eavesdrops on the
the centralized storage of all beacons. To this broadcast beacons and then replays those bea-
end, IoTrace can operate in a fully decentralized cons to many other (even far away) totems. The
mode; that is, the totems will store the received objective of these attacks is to generate a large
beacons locally without sending them to the number of false contacts such that if one individu-
central authority. When a user tests positive for al tests positive, the disclosure of his/her beacons
COVID-19, the central authority will forward the will trigger many false positive alerts. Such attacks
positive beacons to all totems, and in turn, the can be addressed in two different ways. First, the
totems will send back to the central authority beacon generation protocol may incorporate
all negative beacons that fall within the prede- certain cryptographic protocols to thwart replay
termined time window from a positive one. This attacks. Second, the trusted authority can analyze
approach preserves the privacy guarantees and the collected data and identify fraudulent bea-
operational costs for mobile devices while remov- cons (e.g., the same beacon appearing in two dis-
ing the inherent risks of centralized storage. tant locations in a non-time-congruent manner).
Our second improvement comes with
increased computational and power consump- prIvAcy consIderAtIons
tion costs for the mobile devices, but results in Linkage and Profiling. Contact tracing pro-
a contact tracing solution that is secure against tocols and applications bring with them several
eavesdropping adversaries. The key observation is privacy concerns (e.g., the misuse of the collected
that the IoT infrastructure is relatively static, so it is data at the trusted authority) under the centralized
easy to store on each mobile device the list of all and hybrid models. Indeed, a malicious insider
totem IDs, along with their public key certificates. with access to all beacons, locations, timestamps,
Then, instead of transmitting their beacons in and contact lists can extract sensitive information
cleartext, the mobile devices first exchange a sym- about the underlying individuals (locations visited,

86 IEEE Communications Magazine • June 2021

TEDESCHI_LAYOUT.indd 86
Authorized licensed use limited to: Universiteit van Amsterdam. Downloaded on February 04,2023 at 12:46:27 UTC from IEEE Xplore. Restrictions apply. 6/17/21 12:51 PM
 routes, social contacts, etc.). Our proposed archi- Users Totem Hospital Authority
tecture makes such attacks less feasible by design,
5
since users do not submit their own contact lists.
Instead, all the beacons are aggregated at the dis- Contact Tracing Beacon
Advertisement ct29
tributed totems, which makes it much harder for EphID
FB7C6956-D7AD-
4F45-
1 Store +
an adversary to track individuals. Still, an interest- A9EB767301663FB6 Beacon
ing research direction would be to quantify the
2020-06-22
Timestamp
T14:01:58+00:00
5 7 Verify 5
privacy leakage under the centralized edge con- Contact Tracing Beacon Beacon
tact tracing architecture. Advertisement ar58

Eavesdropping. Eavesdropping is a pas- t

FB859673-C8BA- 1 Store +

Comparison
Timestamp
EphID 5F31-

sive attack where an adversary with the ability Beacon

A2FC94321000F2AA
2020-06-22
Timestamp
to eavesdrop on a large scale can simply record T14:01:59+00:00
5
most beacons that are broadcast by the users. Contact Tracing Beacon

When the list of positive/negative beacons is pub-

Advertisement dr87
AB7FEF47-D7F4- 1 Store +
lished, the adversary can identify all the locations EphID 5F47-
A9EB76730134CBB6 Beacon
that the infected user has visited. This is an attack Timestamp
2020-06-22
T14:30:07+00:00
against which none of the existing contact trac-
ing protocols can defend. To this end, a possi- Infected User Downloading Positive & Negative-Beacon List
ble research direction would be to design secure Exposed User Beacon Transmission Flow
two-party protocols (between the trusted author- Healthy User Diagnosis of a User (offline)
ity and a user) that allow users to blindly match
their beacons against the server’s beacon list FIGURE 3. The IoTrace protocol data flow diagram. An exposed user becomes yellow if he/she is close to an infected
(which will not be published). Note, however, that user based on the BLE beacon’s timestamp.
our proposal is able to thwart such attacks when
the user employs the public key of the totem to
bootstrap a secure channel with the totem itself, life that users experience. We have shown that
as described earlier. energy consumption under IoTrace is reduced
by multiple orders of magnitude. Additionally,
Technology Considerations the reconciliation process is mostly performed
Localization Accuracy. Most technologies at the health authorities and/or IoT devices. As
adopted for contact tracing rely on the received such, we argue that IoTrace’s mobile app would
signal strength indicator (RSSI). With the help of be extremely lightweight and therefore would not
a radio propagation model, this feature is useful affect the user’s experience, hence increasing the
in estimating the distance between the transmitter chance of adoption.
and receiver nodes. Unfortunately, several fac- Trust. In addition to usability, trust (or the lack
tors can affect the accuracy of distance estima- of it) is the deciding factor that discourages peo-
tion, including radio noise, obstacles, multipath ple from actively using existing contact tracing
reflection and shadowing effects, or environmen- apps. To this end, IoTrace’s superior privacy guar-
tal factors like rain, temperature, and humidity. antees could motivate more users to install and
Therefore, Bluetooth RSSI may produce a large actively use the app. Furthermore, by releasing
number of false positives and false negatives. To the app’s code as open source, we can further
this end, alternative features like angle of arriv- ease the public’s concern with respect to privacy
al, time difference of arrival, and time of arrival and security.
should be investigated. Furthermore, thanks to
the vast amount of available data, artificial intelli- Limitations
gence algorithms could be employed on the edge The major limitation of IoTrace is the cost to
devices to improve the localization accuracy of deploy, operate, and maintain the IoT infrastruc-
the Bluetooth technology. ture. Indeed, the IoT devices must be connected
Communication Technologies. While BLE is to a fixed power supply and have access to a cel-
the de facto choice for all contact tracing solu- lular/cable network infrastructure in order to com-
tions in the literature, we believe that more municate with the health authorities. As such, we
research is needed on different communication envision that a practical implementation would
technologies. In particular, ultra-wideband (UWB) employ cheap, Raspberry-Pi-like devices, which
carriers as well as acoustic channels and ultrason- would cost somewhere between $10 and$20
ic sound waves could be employed to improve each. For 100,000 devices, the cost would rise
the accuracy, privacy, and reliability of proximity to a couple of million dollars, which is very rea-
tracing [15]. sonable for a large city. We should emphasize
that IoTrace would only be deployed in crowded
Social Considerations areas, including shopping malls, public transporta-
Accessibility. IoTrace shifts a significant por- tion venues, airports, stadiums, parks, and so on.
tion of the energetic and computational costs of Additionally, the government may offer incentives
contact tracing to the IoT edge devices and/or to individual business owners to install and main-
the centralized server. As a result, the correspond- tain their own IoT devices, thus expanding the
ing mobile application can easily be deployed on range of IoTrace’s network.
low-cost devices that would otherwise be unable Despite the cited costs, IoTrace has the fol-
to participate in the contact tracing network. This lowing advantages that make it a very attractive
will considerably increase the accessibility of the solution for contact tracing:
solution to the general public. • Significant energy savings for the mobile
Usability. The usability of existing solutions devices, as they can operate in transmit-only
is primarily hindered by the shortened battery mode

IEEE Communications Magazine • June 2021 87

TEDESCHI_LAYOUT.indd 87
Authorized licensed use limited to: Universiteit van Amsterdam. Downloaded on February 04,2023 at 12:46:27 UTC from IEEE Xplore. Restrictions apply. 6/17/21 12:51 PM
 • Superior privacy guarantees [4] L. Garg et al., “Anonymity Preserving IoT-Based COVID-19
We should emphasize and Other Infectious Disease Contact Tracing Model,” IEEE
• Better proximity tracing accuracy stemming Access, vol. 8, 2020, pp. 159,402–414.
that IoTrace would only be from a moderately dense deployment of IoT [5] Israeli Health Ministry, (2020) Hamagen; https://govex-
deployed in crowded areas, sensors (improved localization with tech- tra.gov.il/ministry-of-health/hamagen-app/download-en,
niques like triangulation and trilateration) accessed Jan. 1, 2021.
such as shopping malls, [6] Q. Tang, “Privacy-Preserving Contact Tracing: Current Solu-
• Reduced computational and storage require- tions and Open Questions,” IACR Cryptol. ePrint Arch., vol.
public transportation venues, ments for the mobile devices, allowing the 2020, 2020, p. 426.
airports, stadiums, parks, etc. app to work seamlessly on cheap devices [7] L. Baumgärtner et al., “Mind the GAP: Security & Privacy
• Flexibility on behalf of the health authori- Risks of Contact Tracing Apps,” arXiv e-prints, June 2020.
[8] Y. Lu et al., “Internet of Things (IoT) Cybersecurity Research:
Additionally, the government ties, because IoTrace does not enforce any A Review of Current Research Topics,” IEEE Internet of
may offer incentives to constraint on the distance (or duration) that Things J., vol. 6, no. 2, 2019, pp. 2103–15.
qualifies a digital encounter as a legitimate [9] J. Bay et al., “BlueTrace: A Privacy-Preserving Protocol for
individual business owners contact Community-Driven Contact Tracing Across Borders,” Gov-
ernment Technology Agency, Singapore, tech. rep, 2020.
to install and maintain
their own IoT devices, thus
Conclusion [10] “Decentralized Privacy-Preserving Proximity Tracing: Over-
view of Data Protection and Security”; https://github.com/
In this article, we propose IoTrace, a novel IoT- DP-3T/documents/ blob/master/DP3T%20White%20Paper.
expanding the range of based architecture for contact tracing that pdf, 2020, accessed Jan. 1, 2021.
[11] Apple Google. (2020) Privacy-Preserving Contact Tracing;
IoTrace’s network. addresses some of the most important limita- https://www.apple.com/ covid19/contacttracing, accessed
tions of existing solutions: it provides a balance Jan. 1, 2021.
between the level of privacy for the different [12] PEPP-PT Team, 2020, Pan-European Privacy-Preserving
user categories; it reduces the overhead on the Proximity Tracing; https://www. pepp-pt.org/, accessed Jan.
1, 2021.
end-user device in terms of energy consumption [13] Italian Ministry of Health, Immuni; https://www.immuni.
and computational cost; it enhances location pri- italia.it/, June 2020, accessed Jan. 1, 2021.
vacy; and it is scalable and flexible, allowing the [14] J. Wang et al., “Achieving Personalized :-Anonymity-Based
accommodation of different contact tracing mod- Content Privacy for Autonomous Vehicles in CPS,” IEEE
Trans. Industrial Informatics, vol. 16, no. 6, 2020, pp. 4242–
els, from purely decentralized to centralized. We 51.
believe that the novelty of the proposal, as well as [15] M. Caprolu et al., “Short-Range Audio Channels Security:
its striking properties and flexibility, has the poten- Survey of Mechanisms, Applications, and Research Chal-
tial to pave the way for further research. lenges,” IEEE Commun. Surveys & Tutorials, 2020.

Acknowledgments Biographies
Pietro Tedeschi is Ph.D. student at HBKU-CSE, Daha, Qatar.
The authors would like to thank the anonymous He received his Master’s degree with honors in computer engi-
reviewers who helped improve the quality of the neering from Politecnico di Bari, Italy. He worked as a securi-
article. This publication was partially supported ty researcher at CNIT, Italy, for the EU H2020 SymbIoTe. His
by awards NPRP 11S-0109-180242 from the research interests cover security issues in UAVs, wireless, IoT,
and cyber-physical systems.
QNRF-Qatar National Research Fund, a member
of The Qatar Foundation. The information and Spiridon Bakiras is an associate professor of cybersecurity at
views set out in this publication are those of the HBKU-CSE. His research interests include security and privacy,
authors and do not necessarily reflect the official applied cryptography, and spatiotemporal databases. He held
teaching and research positions at Michigan Technological Univer-
opinion of the QNRF. sity, the City University of New York, the University of Hong Kong,
and the Hong Kong University of Science and Technology. He is a
References recipient of the U.S. National Science Foundation CAREER award.
[1] John Hopkins Univ. Coronavirus Resource Center; https://
coronavirus.jhu.edu/, Nov. 2020, accessed Jan. 1, 2021. Roberto Di Pietro, ACM Distinguished Scientist, is a full profes-
[2] D. Shu Wei Ting et al., “Digital Technology and COVID- sor of cybersecurity at HBKU-CSE. His research interests include
19,” Nature Medicine, vol. 26, no. 4, Mar. 2020, pp. distributed systems security, wireless security, OSN security,
459–61. and intrusion detection. In 2011–2012 he was awarded a Chair
[3] J. M. Cecilia et al., “Mobile Crowdsensing Approaches to of Excellence from University Carlos III, Madrid. In 2020 he
Address the COVID-19 Pandemic in Spain,” IET Smart Cities, received the Jean-Claude Laprie Award for having significantly
vol. 2, no. 2, 2020, pp. 58–63. influenced the theory and practice of dependable computing.

88 IEEE Communications Magazine • June 2021

TEDESCHI_LAYOUT.indd 88
Authorized licensed use limited to: Universiteit van Amsterdam. Downloaded on February 04,2023 at 12:46:27 UTC from IEEE Xplore. Restrictions apply. 6/17/21 12:51 PM