Will you download the contact tracing app?

murpho999

KyussB wrote: »

Nobody said the app is a malware vector. Read up on the exploit above ^^.

You know what I mean.

A downloaded id during a bluetooth handshake does not create a potential exploit.

And even if it did, so what? The world is not as bad as you're trying to make out.

robinph

KyussB wrote: »

Using bluetooth in your car isn't "all the time" - the entire point of the covid app is that you're constantly using bluetooth everywhere you go, at every moment - THAT is all the time, that is way more than just in your car!

A significant percentage of covid contacts logged on your phone, become potential malware vectors now if you have a vulnerable device yourself, thanks to this exploit.

Versions 8 and 9 are still affected, as not all devices get updates...

You're completely playing down the severity of this exploit - a significant percentage of devices currently in use are wide open to this exploit - and the requirements of the covid app, to leave bluetooth running all the time, make it possible for malware using this exploit to travel much faster and more widely, if exploitable to hop between vulnerable devices - than before the covid app...

I'm using multiple Bluetooth devices 24/7 just in order to stay alive (well to significantly improve the quality of my life) and among the devices I have which are Bluetooth enabled are ones that could actually do me harm if someone were able to figure out a way to do so.

Not concerned in the slightest about some imagined exploit on the phone.

KyussB

murpho999 wrote: »

You know what I mean.

A downloaded id during a bluetooth handshake does not create a potential exploit.

And even if it did, so what? The world is not as bad as you're trying to make out.

Nobody said a downloaded id etc. or bluetooth handshake etc. is a potential exploit.

KyussB

robinph wrote: »

I'm using multiple Bluetooth devices 24/7 just in order to stay alive (well to significantly improve the quality of my life) and among the devices I have which are Bluetooth enabled are ones that could actually do me harm if someone were able to figure out a way to do so.

Not concerned in the slightest about some imagined exploit on the phone.

What is 'imagined' about the exploit? Here it is, right here:
https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/

A significant percentage of Android devices are still vulnerable to it.

murpho999

KyussB wrote: »

Nobody said a downloaded id etc. or bluetooth handshake etc. is a potential exploit.

Stop using pedantry to justify the sh1te you're peddling.

KyussB

murpho999 wrote: »

Stop using pedantry to justify the sh1te you're peddling.

Have you read this?
https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/

murpho999

KyussB wrote: »

Have you read this?
https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/

Yes, and so what?

Do you think people are just wandering around trying to find phones with Bluetooth on?

You're just fear mongering about tiny risks.

KyussB

So what are you going on about regarding downloaded id's and bluetooth handshakes? You're claiming I said the covid app is the exploit - you are wrong.

Have a clue about what the actual exploit before criticizing. I've explained it in detail.

KyussB

Can you explain the exact conspiracy that anyone has suggested?

robinph

KyussB wrote: »

So what are you going on about regarding downloaded id's and bluetooth handshakes? You're claiming I said the covid app is the exploit - you are wrong.

Have a clue about what the actual exploit before criticizing. I've explained it in detail.

Yesterday you were claiming that the app was being used to track people through a crowded city. I guess you at least realised that wasn't a threat then and went digging around for something else.

So what is it that the Bluetooth deamon on our phones can now do which is such a threat? Turn the volume up on our headphones?

KyussB

I never claimed it is being used for anything like that - and I expressly never made the claim that it can track through a crowded city.

Have you read anything so far about the exploit being discused today?

Is it so much to ask, that people actually know what they are replying to, before criticizing? It's not like it hasn't been explained in detail...

hmmm

Great news. Let's keep working to encourage our friends and family to download this app, and help in a small way to try and reduce the impact of this disease on the country.

https://twitter.com/paulreiddublin/status/1280960167715241995

murpho999

KyussB wrote: »

So what are you going on about regarding downloaded id's and bluetooth handshakes? You're claiming I said the covid app is the exploit - you are wrong.

Have a clue about what the actual exploit before criticizing. I've explained it in detail.

I'm saying that's all the app does with bluetooth and now you're trying to convince people that your phone will be attacked.

You have explained it but I just think it's total rubbish.

KyussB

I never said anyones phone will be attacked - and I've never claimed the covid app is the source of the exploit - so get your facts straight instead of spouting nonsense.

You're persistently presenting an incorrect version of what I said, despite me pointing out the same fault in your misrepresentation again and again - to the point that it's got to be a wilful misrepresentation at this stage.

KildareP

KyussB wrote: »

I never said anyones phone will be attacked - and I've never claimed the covid app is the source of the exploit - so get your facts straight instead of spouting nonsense.

What relevance does your point have to the discussion?

Do you leave your mobile data always on?
Of course you do, even though you're entirely at the mercy of your network operators securing their network.

Do you have a 63 character WiFi password comprised entirely of randomly generated alphanumeric characters?
Of course not - you rely on password strong enough that most people will try a quick brute force and then move on.

And this Bluetooth flaw is the same - it would need to be an extremely targeted, extremely well prepared attack for it to be in any way successful.

There's no point in me heading to my local Tesco's on Saturday and start randomly strolling around on the offchance that I:
(a) happen upon someone with a device prone to this vulnerability
(b) can stay sufficiently close to them for long enough to carry out the attack without arousing suspicion (which in the current circumstances, everyone's suspicion levels are greatly elevated)
(c) can isolate their bluetooth signal amongst all of the other bluetooth noise in the crowd to maintain a steady connection.

robinph

KyussB wrote: »

I never claimed it is being used for anything like that - and I expressly never made the claim that it can track through a crowded city.

Have you read anything so far about the exploit being discused today?

Is it so much to ask, that people actually know what they are replying to, before criticizing? It's not like it hasn't been explained in detail...

I acknowledge that you are now wriggling out of what your angle was yesterday as just theoretical, and no doubt tomorrow you'll claim that you were just theorising with todays exploit. But despite that defence you most certainly were talking about a weakness of the app in being used to track people yesterday.

tobefrank321

The threat from exploits would I imagine be miniscule. An elderly person cannot die from an exploit but they can die from covid 19.

Back on track, I'd imagine this app works a bit like herd immunity, its only useful if most people have it.

If person A is elderly but doesn't have the app installed meets person B who has it installed, and tests positive, person A is in a spot of bother.

KyussB

KildareP wrote: »

What relevance does your point have to the discussion?

Do you leave your mobile data always on?
Of course you do, even though you're entirely at the mercy of your network operators securing their network.

Do you have a 63 character WiFi password comprised entirely of randomly generated alphanumeric characters?
Of course not - you rely on password strong enough that most people will try a quick brute force and then move on.

And this Bluetooth flaw is the same - it would need to be an extremely targeted, extremely well prepared attack for it to be in any way successful.

There's no point in me heading to my local Tesco's on Saturday and start randomly strolling around on the offchance that I:
(a) happen upon someone with a device prone to this vulnerability
(b) can stay sufficiently close to them for long enough to carry out the attack without arousing suspicion (which in the current circumstances, everyone's suspicion levels are greatly elevated)
(c) can isolate their bluetooth signal amongst all of the other bluetooth noise in the crowd to maintain a steady connection.

You're missing the point: If a vulnerable device can technically perform the same attack on another vulnerable device, then malware can be written to be self-perpetuating the same way that a computer virus is over the Internet - except hopping over bluetooth.

The role the covid app plays here, is that everyone using the app has bluetooth on all of the time, broadcasting all of the time - when this was not the case before - massively expanding the scope of this exploit from being a rarity with limited scope, to having the potential for being a full-blown worm/virus that can spread over a huge number of devices, especially in e.g. cities.

KyussB

robinph wrote: »

I acknowledge that you are now wriggling out of what your angle was yesterday as just theoretical, and no doubt tomorrow you'll claim that you were just theorising with todays exploit. But despite that defence you most certainly were talking about a weakness of the app in being used to track people yesterday.

Note that I never said it is being used to track anybody - I was discussing the technical aspects of a likely new exploit.

Today, I'm discusing a different and real/verified exploit.

How about discussing what I actually have said, instead of having a stupid meta-discussion about whether I said this or that?

eeepaulo

KyussB wrote: »

Note that I never said it is being used to track anybody - I was discussing the technical aspects of a likely new exploit.

Today, I'm discusing a different and real/verified exploit.

How about discussing what I actually have said, instead of having a stupid meta-discussion about whether I said this or that?

That you admit has nothing to do with the app.

With all those years of expertise in IT can probably find your own way to the android forum, or maybe just fix the exploit.

robinph

tobefrank321 wrote: »

The threat from exploits would I imagine be miniscule. An elderly person cannot die from an exploit but they can die from covid 19.

Back on track, I'd imagine this app works a bit like herd immunity, its only useful if most people have it.

If person A is elderly but doesn't have the app installed meets person B who has it installed, and tests positive, person A is in a spot of bother. Eg if person A was served by person B in the local shop.

If they were served in a shop then there should be minimal and short time of interaction so nothing much to worry about. Person A would be in a spot of bother regardless of the app though if they caught the virus, it's not going to save them.

What it does is let the tracers get a headstart in telling people to isolate. Person A meets person B, they both have the app, person A gets tested and meanwhile person B is about to head off to meet person C for lunch tomorrow. That morning person A gets their +ive result, the codes get uploaded, person B gets a notification on their phone saying to isolate and they cancel the lunch date with person C. Two days later person B gets symptoms and gets a test, but in the meantime they have stopped the chain from getting any further and far quicker than a manual contact tracer would have been able to figure out who person A met and when and what each of their phone numbers are to be able to phone them up and tell them to isolate.

ixoy

KyussB wrote: »

Note that I never said it is being used to track anybody - I was discussing the technical aspects of a likely new exploit

New? Likely? The CVE you linked to earlier was reported and disclosed over half a year ago and there's been no attacks yet. If it was worth it then surely we'd have seen it in action. Hackers hardly waited around on the hope that some situation would have resulted in a single app providing access.

KyussB

eeepaulo wrote: »

That you admit has nothing to do with the app.

With all those years of expertise in IT can probably find your own way to the android forum, or maybe just fix the exploit.

Ya the exploit has nothing to do with the app.

The covid app however, turns bluetooth from being something that people use on a limited/personal basis, thus of limited opportunity to exploit (i.e. isn't on all the time, and is often geographically limited to peoples home or car, but not exclusively) - into something that is on all of the time, and is wide open to exploitation, on a very large geographic scale, wherever a person goes (e.g. passing through a city or on public transport, you'll be passing a huge number of bluetooth enabled devices, many of which will be guaranteed to be vulnerable to this particular exploit).

KyussB

ixoy wrote: »

New? Likely? The CVE you linked to earlier was reported and disclosed over half a year ago and there's been no attacks yet. If it was worth it then surely we'd have seen it in action. Hackers hardly waited around on the hope that some situation would have resulted in a single app providing access.

I was discussing a different potential/new exploit yesterday - not the one being discussed in my current posts today.

DevilsHaircut

listermint wrote: »

It's to get people who might be infected to isolate to close off transmission rates.


And the Brits... What are you about. Is this the extent of the looperness

There's a rather nauseating national circle jerk going on with the app, complete with almost hourly updates on downloads by most of the reporters in the country.

https://twitter.com/denisstaunton/status/1280578208056979457

robinph

KyussB wrote: »

...turns bluetooth from being something that people use on a limited/personal basis.... isn't on all the time,... that is on all of the time, a...you'll be passing a huge number of bluetooth enabled devices,...

You are aware of smart watches which people have on permanently and connected to their phones by bluetooth aren't you? How many people who are connecting to the bluetooth in their cars are turning it on and off each time? How many people are turning on and off the bluetooth in their phone each time they connect their headphones?

KyussB

robinph wrote: »

You are aware of smart watches which people have on permanently and connected to their phones by bluetooth aren't you? How many people who are connecting to the bluetooth in their cars are turning it on and off each time? How many people are turning on and off the bluetooth in their phone each time they connect their headphones?

The number of bluetooth enabled devices will go up by several orders of magnitude with usage of the app. How many people have fucking smart watches? I don't know a single person with one.

Gooey Looey

KyussB wrote: »

The number of bluetooth enabled devices will go up by several orders of magnitude with usage of the app. How many people have fucking smart watches? I don't know a single person with one.

You know nobody with a Fitbit? I find that hard to believe

ixoy

Gooey Looey wrote: »

You know nobody with a Fitbit? I find that hard to believe

And lots of people using Bluetooth headphones - are all of them disabling Bluetooth once they power their headphones off? Not a chance.

KyussB

If we're trying to determine how many more bluetooth enabled devices there will be - and specifically bluetooth enabled Android devices - due to the covid app, then we can be pretty sure it's going to be several orders of magnitude more than the number of fitbit users...

I would say that the vast majority of people do not have bluetooth on all of the time, before the covid app.