Will you download the contact tracing app?

murpho999

KyussB wrote: »

Here is the direct discussion on the latter point:
https://github.com/normanluhrmann/infosec/blob/master/conversation-exposure-notification-google-2020-06-07.pdf

It's a combination of the advertise frequency and lack of synchronous MAC/UID switchovers - but more a problem with the frequency than the lack of synchronous switchover.

He actually gets to the point I independently sussed out yesterday - he's talking about a timing attack on the UID/MAC switchover, like I was - Google didn't dispute that.

But seriously, so what?

Do you think people go around worrying about these things?

The majority of people just don't worry about these things you're going on about and also the chances of something happening to your phone if you walk around with an android device with bluetooth on is still very slim.

Also, you're completely wrong about how people use bluetooth. Most would have it on all the time. So they can connect to devices when they want.

Like headphones, just pop in your ear and you're connected. Cars as well.

hmmm

Please stop replying to him. He will keep going forever.

YellowBucket

Personally, I never switch off Bluetooth. I've various headphones that need to be able to connect without fuss and also the car handsfree system connects automatically when I get in and turn on the ignition.

Modern Bluetooth standards don't waste a lot of energy and I honestly don't think most people would be going around fiddling with the Bluetooth settings other than to add a new device.

I mean, most people with a smartphone also leave the WiFi on all the time so it hops onto known WiFi networks when you get home / go to your favourite coffee place or whatever.

Also if you've a smartwatch or anything like that you need Bluetooth on all the time anyway.

circadian

**** me, are we still doing the whole "Bluetooth vulnerability so the app is bad" dance??

Tell me this. If someone hacks this app, only this app. What information are they going to get?

YellowBucket

circadian wrote: »

**** me, are we still doing the whole "Bluetooth vulnerability so the app is bad" dance??

Tell me this. If someone hacks this app, only this app. What information are they going to get?

A bunch of random, utterly meaningless codes and that's all it seems to have.

This app is launching with one purpose - alert you to covid-19 exposures and was put together with a level of extreme caution about data protection or function creep. That was largely driven by Apple's stance on data protection and refusal to allow any third parties to access always on Bluetooth scanning or NFC.

From what I can see of it, you aren't being required to give it any information. On the iOS version, entering your phone number's entirely optional. You can delete the contact tracing data at any time in the settings menu. You can also opt out and remove yourself from the service.

If you get COVID-19 and are tested positive, you also have to manually tell the app to upload its list random codes to the server. It's in no way automatic, it's not triggered remotely or anything like that and it doesn't even assume you're going to do it by default.

From what I can see of it:

a) It's not gathering personal information. Just a bunch of randomised codes that are not linked to anyone's name or identity.
b) It's not using a central server to hold that information, other than when someone optionally uploads their random codes should they become infected.
c) You can opt out at any time. You can delete and control your data.
d) The contact matching is done in your phone, not on a central server.

It's about as anonymous as you could get to do this.

KyussB

Whether people spend time worrying about it or not, doesn't make it any less exploitable - and the covid app + Exposure API it uses, makes it far more exploitable through 1: Increasing the number of devices with bluetooth always on, and 2: Massively increasing the rate of broadcasting that bluetooth uses, making the exploit far more practical.

Nobody has suggested the covid app can be hacked or that any useful information can be gained from it. What has been pointed out is a known/practical exploit of a wide range of Android devices, and how the app + Exposure API make that exploit far more practical to use at a wide scale.

With full proof of concept code available and a huge number of android devices no longer getting security updates, it's really just a matter of when it gets exploited in the wild - not whether it will or not.

If you have a vulnerable OS, potentially it would not require you to be actively targeted by someone, only require passing a device that has previously been hit with such malware - with the covid tracker app and its massively increased broadcasting on all the time, and with such a wide number of potentially affected devices, it has the perfect potential to hit a large number of those affected devices.

Since the exploit allows remote code execution, if you have an affected OS it can access pretty much any of your data on the phone.

It is utterly stupid for anyone with an affected/unpatched OS, to be going around with bluetooth on, and with the Covid-app/Exposure-API broadcasting extremely frequently. Anyone who thinks that is safe or a good idea is an idiot.

From a privacy standpoint, that is a nightmare waiting to happen.

Deeper Blue

It's an app that gives out no meaningful information even if it is "hacked"

I wouldn't overthink it, it's something that can potentially help curb the spread of the virus and that's good enough for me

KyussB

Can you point to a single poster who has suggested the app itself is hackable?

Deeper Blue

Let's not get into semantics, bottom line is the app contains no identifiable info and hence should be downloaded by all. No excuses.

Luckily there are over 1 million people in the country that agree with me so far and hopefully many others will follow suit

Munstersrebel

I downloaded it and don't care about BT I find it bizarre I need to give my GPS data if it doesn't use it..

listermint

KyussB wrote: »

Can you point to a single poster who has suggested the app itself is hackable?

Your going around calling people foolish.


Your not worthwhile replying to but people are because they are fundamentally good and can see the purpose of the app for the nation.

There's no need for your diatribe but you are doing it anyway not to point out flaws in bt technology but because you love the smell of your own vomit. Which is why you keep pumping out the same garbage.


Here's a thought stop calling people stupid and go away.

plodder

KyussB wrote: »

Read the correspondance - the frequency of the advertising allows identifying the device after switchover (regardless of MAC/RPI synchronization), breaking Bluetooth LE privacy.

The correspondance also discusses the out of sync MAC/RPI - after the date of the message you just linked.

I read it and they don't accept it's an exploitable vulnerability. Come back after the point if/when they do. You're like a dog with a bone, so maybe it's time to drop it.

wonski

Reading some of the posts bluetooth is new 5g lol...

Always on to track us and hack our phones. Clever

The Nal

wonski wrote: »

Reading some of the posts bluetooth is new 5g lol...

Always on to track us and hack our phones. Clever

A very amusing thread alright. The paranoia is through the roof. So much stamina. It must be exhausting in the end.

Bob Z

GarIT wrote: »

Depends on whether you are within 2m or not.

we might be

GarIT

Munstersrebel wrote: »

I downloaded it and don't care about BT I find it bizarre I need to give my GPS data if it doesn't use it..

It doesn't record random IDs of people that are further than 2m away. It uses Bluetooth to calculate distance to work this out. Calculating distance from Bluetooth is considered location because it is a real world measurement and in theory if you knew where the other phone was you could possibly work out your location, so they call it location. It doesn't use or access GPS.

Google explain it here in point 3. https://support.google.com/android/answer/9930236?hl=en

KyussB

NDWC wrote: »

Let's not get into semantics, bottom line is the app contains no identifiable info and hence should be downloaded by all. No excuses.

Luckily there are over 1 million people in the country that agree with me so far and hopefully many others will follow suit

No, the app should only be downloaded by people who do not run affected devices - anyone on Android under version 10.0, who has not gotten a security patch since February this year - has a very good reason for NOT using the app or bluetooth when out in public.

KyussB

listermint wrote: »

Your going around calling people foolish.


Your not worthwhile replying to but people are because they are fundamentally good and can see the purpose of the app for the nation.

There's no need for your diatribe but you are doing it anyway not to point out flaws in bt technology but because you love the smell of your own vomit. Which is why you keep pumping out the same garbage.


Here's a thought stop calling people stupid and go away.

I've reflected the same labels a handful of posters used towards me, back to them - hard for them to complain or whine about that, is it?

Not worth replying to but you'll reply to me anyway to insult me, right...it's your own motivations in posting that are in question there, not mine.

There is a very clear security vulnerability from this year, in Android, with a huge number of unpatched devices - which using bluetooth in the manner this app requires, and with the massively increased broadcasting frequency this app uses (which is entirely beyond what bluetooth is meant for, breaking part of its privacy features) - makes the exploit far more practical and able to spread widely when malware is developed for it - making it a very bad idea to be using affected devices with bluetooth on all the time, and with this app.

The motivations for a lot of posters - the same ones immediately pre-emptively trying to shut-down privacy concerns mainly... - seems to be to play down any potential concern with this app and using bluetooth in the way it requires, to try to guilt people into using it even in circumstances where it can harm their privacy and the security of their devices.

I've been very clear, that I view there as being large security concerns for some users, using bluetooth in the way this app requires - and more minor but still noteable privacy concerns, with the way that using bluetooth in the way the app requires, breaks part of bluetooth privacy protections for all users - there is no justification for anyone to try to shut me down, from noting these problems - nor is there any justification in trying to trivialize/diminish them, while simultaneously trying to guilt people into using the app even if they are negatively affected by these issues.

KyussB

plodder wrote: »

I read it and they don't accept it's an exploitable vulnerability. Come back after the point if/when they do. You're like a dog with a bone, so maybe it's time to drop it.

They don't accept the MAC/UID sync issue as an exploitable issue - they don't addres the timing attack due to the frequency of the broadcasting, which the security researcher documented - which achieves the same thing (and is the same as what I independently sussed here, a couple days ago).

tjhook

For what it's worth, I think Kyuss is highlighting a valid issue. But what's missing is quantification of the risks.

Unlike many vulnerabilities in the IT world, this one requires physical proximity between the ne'er-do-good and the victim. And I'm not aware of anybody (in the world) having being targeted by it.

How much of a risk is this Bluetooth issue to Bridie going from her house in Sixmilebridge to the Spar? I would suggest very close to zero. In contrast, I would suggest the risk she's exposed to from Covid is far higher. I am certain that in the coming week, nobody in Ireland will fall victim to this vulnerability. But a number of people will die of Covid.

So yes, the experts will be keeping an eye on it, but at the moment it's not something we should be overly-concerned about. There will always be vulnerabilities discovered with technology, it's no reason to let more people than necessary die.

plodder

KyussB wrote: »

They don't accept the MAC/UID sync issue as an exploitable issue - they don't addres the timing attack due to the frequency of the broadcasting, which the security researcher documented - which achieves the same thing (and is the same as what I independently sussed here, a couple days ago).

I don't have time to spend on this today, but for this issue it's basically you and the 'researcher''s word against google. Basically, anyone can make these disclosures, which is a good thing, but being a 'security researcher' doesn't confer any authority if you aren't already known in the field. I've had to deal with these issues myself in my own job. They are often a mixed bag. The first issue you highlighted is serious, but it's been fixed (and maybe Google and their partners have some work to do, to make the fix more widely available). But, this issue, it was exposed around a month ago as essentially a zero-day explout. If it was serious it would be all over the tech media (and wider), but it isn't.

robinph

tjhook wrote: »

For what it's worth, I think Kyuss is highlighting a valid issue. But what's missing is quantification of the risks.

It's possibly a risk if you and the hacker are sat on top of a mountain together for a couple of hours with nobody else around whilst they hack your phone and you presumably brew them a cup of coffee to keep them warm and motivated.

In other scenarios in the real world, nothing much to worry about.

KyussB

tjhook wrote: »

For what it's worth, I think Kyuss is highlighting a valid issue. But what's missing is quantification of the risks.

Unlike many vulnerabilities in the IT world, this one requires physical proximity between the ne'er-do-good and the victim. And I'm not aware of anybody (in the world) having being targeted by it.

How much of a risk is this Bluetooth issue to Bridie going from her house in Sixmilebridge to the Spar? I would suggest very close to zero. In contrast, I would suggest the risk she's exposed to from Covid is far higher. I am certain that in the coming week, nobody in Ireland will fall victim to this vulnerability. But a number of people will die of Covid.

So yes, the experts will be keeping an eye on it, but at the moment it's not something we should be overly-concerned about. There will always be vulnerabilities discovered with technology, it's no reason to let more people than necessary die.

This doesn't require physical proximity between a ne'er-do-good and a victim - it only requires that malware is written to hop from one affected device to another.

You are right that the risk would be extremely low in the circumstance of needing proximity to a bad actor like that - but the risk is enormously higher in the circumstance I'm focusing on.

People get malware on their phone all the time - malware that is common on the Internet etc. can potentially be adapted to include such a bluetooth exploit - and then a person who innocently gets some malware on their phone while browsing the Internet, can potentially walk through a crowded city passing lots of people affected by the bluetooth vulnerability, broadcasting all the time due the covid app - with the malware spreading to those contacts, and then from those contacts on to others that they pass etc..

It's a bit like the difference between someone targetting you specifically over the Internet, to get onto your device personally - very low risk - versus being connected to the Internet with all of your ports open to the Internet, just waiting for the port of a known-vulnerable service on your computer to be hit (which it will be, given enough time).

KyussB

plodder wrote: »

I don't have time to spend on this today, but for this issue it's basically you and the 'researcher''s word against google. Basically, anyone can make these disclosures, which is a good thing, but being a 'security researcher' doesn't confer any authority if you aren't already known in the field. I've had to deal with these issues myself in my own job. They are often a mixed bag. The first issue you highlighted is serious, but it's been fixed (and maybe Google and their partners have some work to do, to make the fix more widely available). But, this issue, it was exposed around a month ago as essentially a zero-day explout. If it was serious it would be all over the tech media (and wider), but it isn't.

Google didn't dispute the timing issue.

KyussB

robinph wrote: »

It's possibly a risk if you and the hacker are sat on top of a mountain together for a couple of hours with nobody else around whilst they hack your phone and you presumably brew them a cup of coffee to keep them warm and motivated.

In other scenarios in the real world, nothing much to worry about.

I've had to repeat at least half a dozen times in the thread: It doesn't require proximity to a bad actor. I explain the scenario I'm talking about in my reply to the other poster, where it can very easily spread once developed.

plodder

KyussB wrote: »

Google didn't dispute the timing issue.

They dispute that it's a vulnerability :rolleyes:

timetogo1

Would it be better to put the information security chat in the Information Security forum
https://www.boards.ie/vbulletin/forumdisplay.php?f=24

Every app on the planet runs on platforms that have vulnerabilities or rely on services that have vulnerabilities.

KyussB

plodder wrote: »

They dispute that it's a vulnerability :rolleyes:

No they don't - they dispute the MAC/UID synchronization being an issue - they don't dispute the timing issue, where the beacon is advertising frequently enough to break bluetooth privacy.

robinph

KyussB wrote: »

This doesn't require physical proximity between a ne'er-do-good and a victim - it only requires that malware is written to hop from one affected device to another.

Well we have the herd immunity of enough people not having phones that are at risk such that those who do are protected, and that also makes it not worth the while of someone to create this app virus that they first have to get installed onto the correct phone and OS and then rely on that phone somehow making it's way past another vulnerable phone and sitting next to them on the bus, or up a mountain, for long enough for the app to hack it.

KyussB

timetogo1 wrote: »

Would it be better to put the information security chat in the Information Security forum
https://www.boards.ie/vbulletin/forumdisplay.php?f=24

Every app on the planet runs on platforms that have vulnerabilities or rely on services that have vulnerabilities.

The technical details may be more on-topic there - but the security and privacy conerns are relevant to posters here - people, especially those running affected devices, aught to know that these security issues exist and that they need to make sure they are either on Android 10, or that their Android version got a security patch since February.