Will you download the contact tracing app?

hmmm

Gooey Looey wrote: »

You know nobody with a Fitbit? I find that hard to believe

Is anyone going to tell him that cars have bluetooth and most are vulnerable? Wait till he realises, it's going to be great.

But no, apparently the hackers who are capable of building some devastating worm have been holding off until the HSE put out a Covid app. Now they will strike.

robinph

KyussB wrote: »

The number of bluetooth enabled devices will go up by several orders of magnitude with usage of the app. How many people have fucking smart watches? I don't know a single person with one.

I'm currently wearing two, but do acknowledge that is a bit odd.

Everyone in my social circle has a bluetooth connected watch of some description for sports, and they will all be permanently connected to their phones or if they are not they will be posting for help to get it reconnected to Strava any moment as something has broken.

timetogo1

KyussB wrote: »

If we're trying to determine how many more bluetooth enabled devices there will be - and specifically bluetooth enabled Android devices - due to the covid app, then we can be pretty sure it's going to be several orders of magnitude more than the number of fitbit users...

I would say that the vast majority of people do not have bluetooth on all of the time, before the covid app.

Ok great. You've repeated you pointless point several times. Can we change the record?

tobefrank321

robinph wrote: »

If they were served in a shop then there should be minimal and short time of interaction so nothing much to worry about. Person A would be in a spot of bother regardless of the app though if they caught the virus, it's not going to save them.

What it does is let the tracers get a headstart in telling people to isolate. Person A meets person B, they both have the app, person A gets tested and meanwhile person B is about to head off to meet person C for lunch tomorrow. That morning person A gets their +ive result, the codes get uploaded, person B gets a notification on their phone saying to isolate and they cancel the lunch date with person C. Two days later person B gets symptoms and gets a test, but in the meantime they have stopped the chain from getting any further and far quicker than a manual contact tracer would have been able to figure out who person A met and when and what each of their phone numbers are to be able to phone them up and tell them to isolate.

As I said it only works if the majority have it. In many cases its an asymptomatic illness. If a person doesn't have the app installed they will never be notified of being a close contact with an infected person. The shop was a bad example. A better example is a taxi or an airplane. A shared space for 15 minutes or longer.

Re the elderly its important they have the app. Early warning is important but also that they don't pass it unknowingly to others.

Gooey Looey

KyussB wrote: »

If we're trying to determine how many more bluetooth enabled devices there will be - and specifically bluetooth enabled Android devices - due to the covid app, then we can be pretty sure it's going to be several orders of magnitude more than the number of fitbit users...

I would say that the vast majority of people do not have bluetooth on all of the time, before the covid app.

Everyone I know has had bluetooth constantly on for the last few years, we have cars and vans with built in bluetooth. My Mam and Dad in their 60s included

robinph

KyussB wrote: »

If we're trying to determine how many more bluetooth enabled devices there will be - and specifically bluetooth enabled Android devices - due to the covid app, then we can be pretty sure it's going to be several orders of magnitude more than the number of fitbit users...

I would say that the vast majority of people do not have bluetooth on all of the time, before the covid app.

How many people do you see wandering about with the wireless Apple ear pods everyday?

If you claim not to then you are either not looking or have never left the house in the last few years.

hmmm

tobefrank321 wrote: »

As I said it only works if the majority have it. In many cases its an asymptomatic illness. If a person doesn't have the app installed they will never be notified of being a close contact with an infected person. The shop was a bad example. A better example is a taxi or an airplane. A shared space for 15 minutes or longer.

Re the elderly its important they have the app. Early warning is important but also that they don't pass it unknowingly to others.

I'm not sure these types of apps have been used before Covid (correct me if I'm wrong). I can see them being most of use in places where you are mixing with a large number of people you might not know - e.g. pubs, nightclubs, house parties. I'd say most elderly people are being a bit careful, and probably not mixing with large groups of people they don't know - in which case the contact tracers job is relatively easy.

DevilsHaircut

GarIT wrote: »

That's simply not the case. Contact tracing has prevented thousands of cases so far. We aren't employing a few thousand people to do it manually for nothing.


For example. John gets it day 1, spreads it to Mary day 3, feels symptoms that evening, gets tested day 4 with results day 5, his day 5 is day 3 for mary, on day 3 she gets told she has been in contact and self isolates until tested, spreading it no further.

Fatal flaw in this...

https://twitter.com/Smyth_Chris/status/1280154576738570240

tobefrank321

I've a Galaxy S7 with Android 8 and it says my phone is not compatible when I tried to download the app!

plodder

KyussB wrote: »

I've spent the last 20 years working with programming and fixing exploits - if there is an IT person here, that doesn't understand the severity of this exploit, and that a significant number of android devices remain vulnerable - then they don't have a clue how to write safe code:
https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/

Actually, reading that link again, they only showed the exploit using Android 8 and 9, both of which have been updated by Google to fix the bug.

KyussB wrote:

I was discussing a different potential/new exploit yesterday - not the one being discussed in my current posts today.

That "exploit" was a complete joke. It was a misreading of the specification by someone who lobbed it over the wall, in an irresponsible manner (had it actually been a genuine issue) by publicly announcing it before telling the platform vendor and allowing them to fix it before making it public. Fortunately, it amounted to nothing.

KyussB

robinph wrote: »

How many people do you see wandering about with the wireless Apple ear pods everyday?

If you claim not to then you are either not looking or have never left the house in the last few years.

You understand the difference between some people, and all people right? That some of the time doesn't mean all of the time, yes?

You see a small percentage of people with bluetooth-capable devices, using bluetooth devices (and for a limited period of time, when listening to music) - and to you that means all bluetooth capable devices, are left on all of the time by everybody?

Bluetooth is extremely common - but what the covid app does is enable use that is orders of magnitude wider than before.

ixoy

KyussB wrote: »

Bluetooth is extremely common - but what the covid app does is enable use that is orders of magnitude wider than before.

Source? Since you're claiming its magnitudes more than people who currently have Bluetooth on (just because they're not using a Bluetooth-enabled device visibly doesn't meant they haven't left it on).

robinph

KyussB wrote: »

The number of bluetooth enabled devices will go up by several orders of magnitude with usage of the app.

KyussB wrote: »

I would say that the vast majority of people do not have bluetooth on all of the time, before the covid app.

A quick Google only gave a survey result from 5 or 6 years ago where they reckoned it was about 45-50% of users would leave Bluetooth on permanently back then. So even allowing for that low estimate your "several orders of magnitude" change will be at most a doubling if everyone installs the app and leaves their Bluetooth on. Hardly a "vast majority" of users leaving it turned off even back then.

Of course since then when battery concerns might have been a bigger issue, the power consumption of Bluetooth has reduced and the opportunities to make use of the Bluetooth have increased massively with far more devices being able to connect and provide far more functions.




But I'm sure you were just theorising about Bluetooth usage anyway and will now claim to have never stated any facts.

KyussB

plodder wrote: »

Actually, reading that link again, they only showed the exploit using Android 8 and 9, both of which have been updated by Google to fix the bug.

That "exploit" was a complete joke. It was a misreading of the specification by someone who lobbed it over the wall, in an irresponsible manner (had it actually been a genuine issue) by publicly announcing it before telling the platform vendor and allowing them to fix it before making it public.

The exploit affects previous versions of Android as well - and up to 40% of android devices do not receive security updates - which is an extremely high percentage.

The exploit I discussed yesterday (the CVE one) is a valid exploit that allows tracking - I've read the commentary on it myself, the MAC address and UID do not change synchronously due to a limitation in the OS, allowing tracking of UID changes. I separately discussed another way of tracking UID changes for a specific device - with limitations and caveats.

Jim_Hodge

I don't know about anybody else but the thread has lost me completely.

robinph

KyussB wrote: »

You understand the difference between some people, and all people right? That some of the time doesn't mean all of the time, yes?

You see a small percentage of people with bluetooth-capable devices, using bluetooth devices (and for a limited period of time, when listening to music) - and to you that means all bluetooth capable devices, are left on all of the time by everybody?

Bluetooth is extremely common - but what the covid app does is enable use that is orders of magnitude wider than before.

You know people are lazy right and can't be arsed to turn their Bluetooth on and off every time. If they are using a device once then they will be leaving the Bluetooth turned on permanently.

Keep wriggling though.

KyussB

ixoy wrote: »

Source? Since you're claiming its magnitudes more than people who currently have Bluetooth on (just because they're not using a Bluetooth-enabled device visibly doesn't meant they haven't left it on).

Source that everyone leaves bluetooth on by habit? I mean I know plenty of people who don't even have any bluetooth devices that they use with their phone - I find it very unlikely they leave bluetooth on all the time...

In what world is leaving a gaping security hole open a good idea, just because there is the perception that 'everyone does it' as well?

DevilsHaircut

Mr.S wrote: »

Eh, no it's not. Think about the data protection and privacy governance alone needed.

The amount of waffle on here from people who have no clue what they are talking about.



Bluetooth is defined as being part of location services. It's not GPS you are enabling, there is nothing ridiculous and this is not some conspiracy. Download the app, enable contact tracing and stop sprouting rubbish.

The HSE are doing that, not the private-sector developer.

spookwoman

Can we open a new thread for this bluetooth discussion, it's like the visual version of a broken record in here now

robinph

I'm sure that if you sat on the street for a few minutes with a Bluetooth scanner running and counted how many people walked past you would pick up more devices than people very quickly. I'd even promise not to walk past which would screw up the stats with my excess of devices about my person.

plodder

KyussB wrote: »

The exploit affects previous versions of Android as well - and up to 40% of android devices do not receive security updates - which is an extremely high percentage.

The exploit I discussed yesterday (the CVE one) is a valid exploit that allows tracking - I've read the commentary on it myself, the MAC address and UID do not change synchronously due to a limitation in the OS, allowing tracking of UID changes. I separately discussed another way of tracking UID changes for a specific device - with limitations and caveats.

The two claims in bold, you have made without evidence. You need some evidence to back up these claims. The first one is not supported by the link you gave because they said they didn't test older releases.

The second claim has been refuted by Google. I gave you a link to where they did that. There hasn't been any update to that CVE since then.

KyussB

robinph wrote: »

A quick Google only gave a survey result from 5 or 6 years ago where they reckoned it was about 45-50% of users would leave Bluetooth on permanently back then. So even allowing for that low estimate your "several orders of magnitude" change will be at most a doubling if everyone installs the app and leaves their Bluetooth on. Hardly a "vast majority" of users leaving it turned off even back then.

Of course since then when battery concerns might have been a bigger issue, the power consumption of Bluetooth has reduced and the opportunities to make use of the Bluetooth have increased massively with far more devices being able to connect and provide far more functions.




But I'm sure you were just theorising about Bluetooth usage anyway and will now claim to have never stated any facts.

Alright, while those stats vary per region, that's a lot more than I expected - it doesn't change the fact that it's rather foolish for people to go around with vulnerable devices, leaving bluetooth on all the time.

With proof of concept code available for this particular recent exploit, and a huge number of exploitable android devices, plus the covid app causing bluetooth to advertise as a beacon with far more frequency than it used to - every few seconds rather than every 'x' minutes - the exploitability is still orders of magnitude higher.

AlmightyCushion

DevilsHaircut wrote: »

Fatal flaw in this...

https://twitter.com/Smyth_Chris/status/1280154576738570240

Testing turnaround times are pretty quick here so you wouldn't be waiting the whole 14 days.

tobefrank321

Overall the app is a good idea.

Its real use will come from situations like pubs and also air travel where it would otherwise be difficult to trace those you were in close contact with. It could be a game changer in fighting covid 19 until there is a vaccine.

talla10

Mr.S wrote: »

I million downloads within 48 hours, wow.

That must be a record for any app in Ireland?

It's great to see. The more people using it will obviously be more beneficial in detecting clusters and making people aware they may have been exposed.

Not read all this thread but as expected it appears to have been hijacked. I'll just say if you don't want to use the app then that's your personal choice so absolutely no issue.

But don't be patronising or insulting to those who do.

KyussB

plodder wrote: »

The two claims in bold, you have made without evidence. You need some evidence to back up these claims. The first one is not supported by the link you gave because they said they didn't test older releases.

The second claim has been refuted by Google. I gave you a link to where they did that. There hasn't been any update to that CVE since then.

Here is the direct discussion on the latter point:
https://github.com/normanluhrmann/infosec/blob/master/conversation-exposure-notification-google-2020-06-07.pdf

It's a combination of the advertise frequency and lack of synchronous MAC/UID switchovers - but more a problem with the frequency than the lack of synchronous switchover.

He actually gets to the point I independently sussed out yesterday - he's talking about a timing attack on the UID/MAC switchover, like I was - Google didn't dispute that.

KyussB

talla10 wrote: »

It's great to see. The more people using it will obviously be more beneficial in detecting clusters and making people aware they may have been exposed.

Not read all this thread but as expected it appears to have been hijacked. I'll just say if you don't want to use the app then that's your personal choice so absolutely no issue.

But don't be patronising or insulting to those who do.

Has anyone been?

plodder

KyussB wrote: »

Here is the direct discussion on the latter point:
https://github.com/normanluhrmann/infosec/blob/master/conversation-exposure-notification-google-2020-06-07.pdf

It's a combination of the advertise frequency and lack of synchronous MAC/UID switchovers - but more a problem with the frequency than the lack of synchronous switchover.

He actually gets to the point I independently sussed out yesterday - he's talking about a timing attack on the UID/MAC switchover, like I was - Google didn't dispute that.

Let me remind you of the reply from Google at

https://news.ycombinator.com/item?id=23488214

The author of this paper alerted Google on June 11, 7:35 AM EST, less than 6 hours ago. While we recognize this is a rapidly-evolving space, a few hours is not in line with responsible disclosure[1] timelines.

While we're still preparing a proper response to the submitter, the paper makes an invalid assumption that RPI rotation and BLE address rotation are out-of-step and overlap. The BLE and RPI changes are synced; the MAC address is always rotated with the RPI/packet is rotated. We're still investigating our implementation to verify, but we do not believe this to be a vulnerability. I will reply to this thread should our investigation find anything.

That was a month ago. So, they didn't find anything.

KyussB

Read the correspondance - the frequency of the advertising allows identifying the device after switchover (regardless of MAC/RPI synchronization), breaking Bluetooth LE privacy.

The correspondance also discusses the out of sync MAC/RPI - after the date of the message you just linked.

Stark

Omg just make it stop. Ditch the smartphone altogether if you're that worried.