Will you download the contact tracing app?

timetogo1

KyussB wrote: »

The technical details may be more on-topic there - but the security and privacy conerns are relevant to posters here - people, especially those running affected devices, aught to know that these security issues exist and that they need to make sure they are either on Android 10, or that their Android version got a security patch since February.

So would you say you've gotten that point across by now?

KyussB

robinph wrote: »

Well we have the herd immunity of enough people not having phones that are at risk such that those who do are protected, and that also makes it not worth the while of someone to create this app virus that they first have to get installed onto the correct phone and OS and then rely on that phone somehow making it's way past another vulnerable phone and sitting next to them on the bus, or up a mountain, for long enough for the app to hack it.

It's a software exploit not a biological virus...A huge proportion of phones are Android, and huge proportion of Android devices (up to 40%) don't get regular security updates.

Walking through a city, you're guaranteed to pass a significant number of affected devices.

KyussB

timetogo1 wrote: »

So would you say you've gotten that point across by now?

Not really, because I keep having to correct the same things that people are repeatedly getting wrong, in some cases up to a dozen times if not more, despite having stated very clearly what is and isn't an issue - while the same posters try to shut me down with rancid condescension etc..

robinph

KyussB wrote: »

It's a software exploit not a biological virus...A huge proportion of phones are Android, and huge proportion of Android devices (up to 40%) don't get regular security updates.

Walking through a city, you're guaranteed to pass a significant number of affected devices.

So from this there is about 40% of the Android users in Europe running version 8/9 which have the potential to be hacked, but that is dropping by 5% a month even during lockdown. Android has 70% of the market in Europe.

That already has us down to only 28% of phones that are potentially vulnerable. Then using your stat of 40% of users not updating their phones brings us down to 11% of phones that could be hacked like this.

Think I'll stick with it not being as big an issue as you are trying to make out.

plodder

KyussB wrote: »

No they don't - they dispute the MAC/UID synchronization being an issue - they don't dispute the timing issue, where the beacon is advertising frequently enough to break bluetooth privacy.

Show me where they accepted that the timing issue is a vulnerability.

KyussB

robinph wrote: »

So from this there is about 40% of the Android users in Europe running version 8/9 which have the potential to be hacked, but that is dropping by 5% a month even during lockdown. Android has 70% of the market in Europe.

That already has us down to only 28% of phones that are potentially vulnerable. Then using your stat of 40% of users not updating their phones brings us down to 11% of phones that could be hacked like this.

Think I'll stick with it not being as big an issue as you are trying to make out.

Don't look at being a data scientist anytime soon...it's 40% of all Android devices that no longer receive security updates, so that's potentially up to a quarter of all phone users. There are no grounds for assuming the people switching to 10.00 all come from that group.

KyussB

plodder wrote: »

Show me where they accepted that the timing issue is a vulnerability.

The full discussion between the researcher and Google is here - Google don't dispute the timing issue - and the researcher details how he has verified the switchover tracking ability due to the frequent broadcasting of the beacon:
https://github.com/normanluhrmann/infosec/blob/master/conversation-exposure-notification-google-2020-06-07.pdf

(Note to others: This is a different issue from a couple days ago, to what my other posts are focusing on today.)

robinph

KyussB wrote: »

Don't look at being a data scientist anytime soon...it's 40% of all Android devices that no longer receive security updates, so that's potentially up to a quarter of all phone users. There are no grounds for assuming the people switching to 10.00 all come from that group.

The problem you were linking to only existed in versions 8 and 9 which had not been patched. Or are you now back to trying to wriggle your way to a new imagined problem?

plodder

KyussB wrote: »

The full discussion between the researcher and Google is here - Google don't dispute the timing issue - and the researcher details how he has verified the switchover tracking ability due to the frequent broadcasting of the beacon:
https://github.com/normanluhrmann/infosec/blob/master/conversation-exposure-notification-google-2020-06-07.pdf

(Note to others: This is a different issue from a couple days ago, to what my other posts are focusing on today.)

I told you earlier that I had read it. So please quote the exact place where they accept it's a vulnerability

KyussB

robinph wrote: »

The problem you were linking to only existed in versions 8 and 9 which had not been patched. Or are you now back to trying to wriggle your way to a new imagined problem?

I'm saying that we don't know the proportion of people switching to 10.00, who come from the 40% of Android users that don't get regular security updates, vs the 60% who do get regular security updates. It stands to reason that users who update more frequently (from the 60%) would potentially be the ones switching to 10.00 (and the graph shows that it is likely 9.00 users switching to 10.00, which would fit this).

So there's a big "we don't know" factor here - we can't reliably say that the number of affected devices is reducing significantly - we just know there is the 'potential' for up to a quarter of all devices to be affected.

KyussB

plodder wrote: »

I told you earlier that I had read it. So please quote the exact place where they accept it's a vulnerability

Quote the place where they dispute it's a vulnerability...(the timing issue, not the MAC/UID sync)

AlmightyCushion

I know tonnes of people who leave bluetooth on all the time because they have wireless headphones, a smartwatch, a bluetooth enabled car system or something else that uses bluetooth from their phone occasionally. Sometimes it's on even though they never use it because at some stage in the past (possibly even when they bought the phone) it was turned on and they never turned it off. It's rare enough to see someone turning their bluetooth on and off just to use it. I don't really see this as an issue as a result.

KyussB

That doesn't diminish it being an issue. There's also a big difference between bluetooth being on and broadcasting every 'x' minutes, to broadcasting every 'x' seconds like the coronavirus app and Exposure API requires.

robinph

KyussB wrote: »

I'm saying that we don't know the proportion of people switching to 10.00, who come from the 40% of Android users that don't get regular security updates, vs the 60% who do get regular security updates. It stands to reason that users who update more frequently (from the 60%) would potentially be the ones switching to 10.00 (and the graph shows that it is likely 9.00 users switching to 10.00, which would fit this).

So there's a big "we don't know" factor here - we can't reliably say that the number of affected devices is reducing significantly - we just know there is the 'potential' for up to a quarter of all devices to be affected.

They are not two distinct groups.

People might not update because its an old phone that doesn't get pushed updates from the network anymore, people might update because they just got a shiny new one and it prompts them whilst they are still excited about the new toy. Just because someone has a version of OS doesn't tell us anything about their motivation to run updates or what updates they might have run on their old phone.

It just tells us that they have a minimum version which is not vulnerable so can be discounted from your 40% who don't update. Even if nobody running the vulnerable OS versions had run an update, it still only gives you 28% of phones at risk.

plodder

KyussB wrote: »

Quote the place where they dispute it's a vulnerability...(the timing issue, not the MAC/UID sync)

You can't quote it because they didn't say it. you are arguing like a ten year old now

@robinph android 8 and 9 are still supported by Google. So the issue has been fixed. Whether device vendors have passed it on is another question. But it's up to Kyussb to back up p his figure of 40% which I would say is an over estimate

KyussB

robinph wrote: »

They are not two distinct groups.

People might not update because its an old phone that doesn't get pushed updates from the network anymore, people might update because they just got a shiny new one and it prompts them whilst they are still excited about the new toy. Just because someone has a version of OS doesn't tell us anything about their motivation to run updates or what updates they might have run on their old phone.

It just tells us that they have a minimum version which is not vulnerable so can be discounted from your 40% who don't update. Even if nobody running the vulnerable OS versions had run an update, it still only gives you 28% of phones at risk.

No you can't discount anything from the 40% who don't update, without measuring it directly. The data doesn't say what you are claiming - and since all of the 10.0 users are coming from 9.0, it better fits users who do update frequently.

There is no point trying to infer stuff we can't know from the data. We just know 'potentially' up to 25-28% of all devices are affected - which is an enormous number, and more than exploitable enough to be a major problem.

KyussB

plodder wrote: »

You can't quote it because they didn't say it. you are arguing like a ten year old now

@robinph android 8 and 9 are still supported by Google. So the issue has been fixed. Whether device vendors have passed it on is another question. But it's up to Kyussb to back up p his figure of 40% which I would say is an over estimate

I said they didn't dispute it - you can't prove a negative. You are claiming they do dispute it, something which is provable/citable - you need to quote that.

robinph

plodder wrote: »

You can't quote it because they didn't say it. you are arguing like a ten year old now

@robinph android 8 and 9 are still supported by Google. So the issue has been fixed. Whether device vendors have passed it on is another question. But it's up to Kyussb to back up p his figure of 40% which I would say is an over estimate

I'd say the 40% is way over estimating it as well. The networks do nag quite a bit when they push their updates to your handsets. There will be a number of people who don't understand what it is prompting them to do, but once they have their grandkids round again they will soon sort out the annoying messages for them. In the meantime their phones are probably at limited risk of being exploited by KyussB and their Bluetooth drones that are following people around in order to download some random codes that the Covid app has picked up.

KyussB wrote: »

No you can't discount anything from the 40% who don't update, without measuring it directly. The data doesn't say what you are claiming - and since all of the 10.0 users are coming from 9.0, it better fits users who do update frequently.

There is no point trying to infer stuff we can't know from the data. We just know 'potentially' up to 25-28% of all devices are affected - which is an enormous number, and more than exploitable enough to be a major problem.

People having switched from a version 9 to version 10 handset says nothing about their likely hood to keep their phone up to date, it just says that they potentially got a new phone.

That is all irrelevant though if someone is running 10. It's only a potential risk for those running 8/9, those have been patched and if only 40% of people run updates to their OS that leaves you with 40% (who don't run patches) of 28%(who are running Android 8 or 9) of 70%(who are running Android) of phone users.

Which then gives you 11% of all phone users at risk, which is far from being anything significant that you've been claiming.

Professor Moriarty

It's like a fox being torn apart by a pack of hounds. Not pleasant to watch. Might be best to just change the subject and let people take their chances as they see fit.

Is there anywhere I can read about the vulnerabilities of this app? Is there a discussion on github or something? I'll read back in this thread too

ixoy

Deleted User wrote: »

Is there anywhere I can read about the vulnerabilities of this app? Is there a discussion on github or something? I'll read back in this thread too

There aren't any.
There's a potential exploit for Bluetooth, that the app requires and possibly maybe makes for a wider base (but again it's not the app as such), but POC aside it hasn't actually been leveraged anywhere in the wild.

KyussB

robinph wrote: »

I'd say the 40% is way over estimating it as well. The networks do nag quite a bit when they push their updates to your handsets. There will be a number of people who don't understand what it is prompting them to do, but once they have their grandkids round again they will soon sort out the annoying messages for them. In the meantime their phones are probably at limited risk of being exploited by KyussB and their Bluetooth drones that are following people around in order to download some random codes that the Covid app has picked up.



People having switched from a version 9 to version 10 handset says nothing about their likely hood to keep their phone up to date, it just says that they potentially got a new phone.

That is all irrelevant though if someone is running 10. It's only a potential risk for those running 8/9, those have been patched and if only 40% of people run updates to their OS that leaves you with 40% (who don't run patches) of 28%(who are running Android 8 or 9) of 70%(who are running Android) of phone users.

Which then gives you 11% of all phone users at risk, which is far from being anything significant that you've been claiming.

When you come up with that condescending shite, where you wilfully mistate what I say - and your poor understanding of stats, where you push very basic mistakes where you take stats relating to 40% of ALL android users, and apply that to a small subset of android users - then you aren't worth replying to further, you're deliberately trying to misrepresent me and misrepresent the stats.

KyussB

Deleted User wrote: »

Is there anywhere I can read about the vulnerabilities of this app? Is there a discussion on github or something? I'll read back in this thread too

There's no vulnerability with the app. If you use Android, make sure you're either on version 10.0, or if you're on 8.0 or 9.0, make sure you have a security update at least from February - so that leaving bluetooth on all the time, as the app requires, is safe.

Other than that, the main other issue is a privacy concern for all devices - where the frequency with which the covid app and Exposure API broadcasts (at a rate of seconds, rather than minutes), harms bluetooth privacy and makes your device more identifiable and trackable (despite the devs best efforts to keep your device non-identifiable, by semi-frequently randomizing the code it sends - that appears to be an imperfect solution).

ixoy

ixoy wrote: »

There aren't any.
There's a potential exploit for Bluetooth, that the app requires and possibly maybe makes for a wider base (but again it's not the app as such), but POC aside it hasn't actually been leveraged anywhere in the wild.

Read that past 10 pages or so and I didn't realise people were constantly leaving their bluetooth on. I always turn it off when I'm not using it. I'd have it on for probably an hour every day. I find it easier to turn off blue tooth on my phone rather than switching off my devices; otherwise I just waste battery on the devices. Now I have it on 24/7.

I find myself agreeing with KyussB. The vulnerability does exist for a small percentage of android users. This shouldn't dissuade the rest of us from using the app but that small percentage are at risk. That small percentage will equate to more users with a million downloads already. I've never come across this "ah sure it'll be grand" attitude with anyone I've worked with when it comes to security. Thankfully the solution is as simple as updating your phone.

1123heavy

Has there been any recent media coverage separate to the examiner article highlighting the risks associated with this app?

It should be the case that everybody is aware of the risk regarding bluetooth now also being required to be on, in addition to the location services and tracking. Are people aware of it? It does not seem like it

robinph

[Deleted User] wrote: »

I find myself agreeing with KyussB. The vulnerability does exist for a small percentage of android users. This shouldn't dissuade the rest of us from using the app but that small percentage are at risk. That small percentage will equate to more users with a million downloads already. I've never come across this "ah sure it'll be grand" attitude with anyone I've worked with when it comes to security. Thankfully the solution is as simple as updating your phone.

KyrussB is claiming that it is a major expoilt, in all phones, that will affect the majority of phone users.

Their only mention of small number of users is in relation to the belief that people don't have Bluetooth turned on permanently on their phones.

Deeper Blue

Feck sake lads ye're not working for the CIA, nobody gives a **** about your data or movements or whatever, just download the app. Simple

robinph

[Deleted User] wrote: »

Read that past 10 pages or so and I didn't realise people were constantly leaving their bluetooth on. I always turn it off when I'm not using it. I'd have it on for probably an hour every day. I find it easier to turn off blue tooth on my phone rather than switching off my devices; otherwise I just waste battery on the devices. Now I have it on 24/7.

That seems like a wierd use case. What Bluetooth devices, other than a car, do you use which have better battery life than your phone such that you'd leave them on but turn off Bluetooth on the phone? Most devices would have shorter battery life, like headphones, or just makes sense to have permanently connected, like smart watches.

ixoy

1123heavy wrote: »

It should be the case that everybody is aware of the risk regarding bluetooth now also being required to be on, in addition to the location services and tracking. Are people aware of it? It does not seem like it

The risk is low - there's nothing actually exploiting it right now, it's on older phones, and it's been there for a while. People already have Bluetooth on so the issue (if you believe it is one) isn't specific to the app.

Location services has been covered elsewhere but it's basically due to poor level granularity on older Android devices and nothing to do with tracking.

robinph

KyussB wrote: »

When you come up with that condescending shite, where you wilfully mistate what I say - and your poor understanding of stats, where you push very basic mistakes where you take stats relating to 40% of ALL android users, and apply that to a small subset of android users - then you aren't worth replying to further, you're deliberately trying to misrepresent me and misrepresent the stats.

As previously stated, you can claim that all android 8/9 users have failed to update if you want. That still only leaves you with a maximum of 28% of phones in use that are vulnerable. Nothing like your claims about it being a major exploit affecting the majority of users.