Will you download the contact tracing app?

robinph

robinph wrote: »

That seems like a wierd use case. What Bluetooth devices, other than a car, do you use which have better battery life than your phone such that you'd leave them on but turn off Bluetooth on the phone? Most devices would have shorter battery life, like headphones, or just makes sense to have permanently connected, like smart watches.

I have two battery powered bluetooth speakers and bluetooth headpones. All of those devices switch off on their own if I close the bluetooth connection from my phone. I found it handier to do that rather than switching off the device. I'm surprised I'm in the minority.

robinph

robinph wrote: »

KyrussB is claiming that it is a major expoilt, in all phones, that will affect the majority of phone users.

Their only mention of small number of users is in relation to the belief that people don't have Bluetooth turned on permanently on their phones.

Fair enough. That's not how I interpreted it.

robinph

[Deleted User] wrote: »

I have two battery powered bluetooth speakers and bluetooth headpones. All of those devices switch off on their own if I close the bluetooth connection from my phone. I found it handier to do that rather than switching off the device. I'm surprised I'm in the minority.

Fair enough, but then you have two things to switch on each time you want to connect them back up again.

robinph

robinph wrote: »

Fair enough, but then you have two things to switch on each time you want to connect them back up again.

Yeah absolutely. In the case of the headphones, it has no button to power them off. I have to do a long press to turn off bluetooth. On occasion I actually haven't switched it off and drained the whole battery; a pain if you're about to head out and suddenly realise this. Switching off the bluetooth from my phone makes sure. It's a habit I've gotten into. A very niche use case apparently. I'm genuinely surprised everyone is going around with bluetooth constantly on. Well I'm one of you now with this new app

NDWC

NDWC wrote: »

Feck sake lads ye're not working for the CIA, nobody gives a **** about your data or movements or whatever, just download the app. Simple

Yikes. Wanna download my app? It's secure, I swear.

I freely give away my data and don't hugely care. It doesn't mean I don't care about the security of all these apps. The government releasing an app is especially interesting. In my opinion, they've absolutely nailed it with their transparency.

tobefrank321

KyussB wrote: »

It's a software exploit not a biological virus...A huge proportion of phones are Android, and huge proportion of Android devices (up to 40%) don't get regular security updates.

Walking through a city, you're guaranteed to pass a significant number of affected devices.

The app seems to be only compatible with more recent and higher spec phones, the type that do get regular security updates.

Also, those most inclined to install the app are fairly tech savvy and also inclined to install updates.

We don't live in a zero risk world, there is a risk to everything, but you have to balance those risks to get by.

tobefrank321

I find it ironic that people sign up to linkedin, twitter, facebook and so on which hold a sh*tload of their personal data but then are fearful of some new app which has completely anonymised data.

KyussB

robinph wrote: »

KyrussB is claiming that it is a major expoilt, in all phones, that will affect the majority of phone users.

Their only mention of small number of users is in relation to the belief that people don't have Bluetooth turned on permanently on their phones.

robinph wrote: »

As previously stated, you can claim that all android 8/9 users have failed to update if you want. That still only leaves you with a maximum of 28% of phones in use that are vulnerable. Nothing like your claims about it being a major exploit affecting the majority of users.

If you keep lying about what I say I'll have to report it - you know I didn't say that.

KyussB

Deleted User wrote: »

Fair enough. That's not how I interpreted it.

That wasn't what I said - that poster (along with innumerable others in the thread so far) has been wilfully lying about what I've said.

spookwoman

KyussB wrote: »

That certainly makes it harder alright. It's still usable to track, and there is potential to be able to time the switches (even though a 10 min random variance is a lot), but if there aren't too many other devices around, it should be quite trackable.

KyussB wrote: »

The first two paragraphs are certainly true - you would have to be following someone, and that's the situation I'm considering here - potentially you could be reliably following them from a very far distance, which is still a big privacy concern in a lot of ways.

Rather than being a bug, though - it seems like a design fault, that I'm not sure how they would fix.

KyussB wrote: »

Anyone with any familiarty with software/programming, knows that with brand new frameworks like the exposure API, the risk of exploits is high, not low - and should further judge the risk as high due to existing vulnerability disclosures for the framework used, and that there does not appear to be protection against detecting unique id switchovers.

What you've described isn't critical thinking - it's assuming - despite evidence to the contrary.

KyussB wrote: »

Using bluetooth in your car isn't "all the time" - the entire point of the covid app is that you're constantly using bluetooth everywhere you go, at every moment - THAT is all the time, that is way more than just in your car!

A significant percentage of covid contacts logged on your phone, become potential malware vectors now if you have a vulnerable device yourself, thanks to this exploit.

Versions 8 and 9 are still affected, as not all devices get updates...

You're completely playing down the severity of this exploit - a significant percentage of devices currently in use are wide open to this exploit - and the requirements of the covid app, to leave bluetooth running all the time, make it possible for malware using this exploit to travel much faster and more widely, if exploitable to hop between vulnerable devices - than before the covid app...

KyussB wrote: »

It absolutely does make sense to tie it to this app - because this app is going to have people using bluetooth all the time, where they did not before - pretty much making it worthwhile to start developing in-the-wild exploits for this issue. Bluetooth is not designed to be used in the way the covid app requires - and using it in that way massively increases the damage such an exploit can cause.

Versions 8 and 9 are affected - not all devices have security updates happening automatically or frequently.

If the bluetooth vulnerability can be exploited using the phones that are vulnerable (as in, malware developed to go from one vulnerable devices to another), then this does not require the person exploiting to be within metres - it only requires passing by someone who has already been hit by such malware - ironically making it spread like a particularly virulent physical virus...

Not everyone can afford to buy new phones all the time - neither is it sensible for people to be doing so. Phones should last at least half a decade before being replaced, if not much longer.

KyussB wrote: »

Another security consideration with this is the Bluetooth protocol itself - I deliberately have it disabled due to a long history of security issues - and earlier this year the 'BlueFrag' issue was discovered, which allows remote code execution over bluetooth on many Android devices - and it's not possible to update the OS to fix this on many phones:
https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/

Bluetooth is NOT SECURE, and now there is going to be a huge motivation for people to make use of existing exploits for it - and to search out new ones - with a huge number of people not being able to update their devices to plug these security issues.

In the case of the exploit above, access to everything on your phone is possible, if you aren't patched up - which can then be uploaded over data/wifi - and there is potential for a situation where malware is developed that remains on your phone and hops onto other vulnerable bluetooth devices nearby.

This is a privacy nightmare waiting to happen, despite the best efforts of the developers. People are mad to be using this - bluetooth is not secure, and if you do even a quick read up on recent bluetooth exploits from the past few years, there are a number of critical vulnerabilities that give full access to devices.

If you are going to install this app, update your phones firmare and OS to the latest software - if it's android based, make sure the latest update for your OS is from at least February this year if not using Android 10, or it will be vulnerable.

Easy to read what you are saying as an major exploit.

robinph

KyussB wrote: »

If you keep lying about what I say I'll have to report it - you know I didn't say that.

I'll retract the all if that makes you feel better.

As for your claims of 40% of Android users being vulnerable and that the majority of people don't have Bluetooth turned on, or the suggestion regarding Bluetooth drones, or the claims about it being a high risk vulnerability in the OS that is going to be used to track people I think we can see what was being said OK thanks.

hmmm

spookwoman wrote: »

Easy to read what you are saying as an major exploit.

We're all agreed after about twenty pages that this is not a major exploit, and can move on - excellent. That was well worth it.

Has anyone been talking to people who will not install the app, and what reasons did they give?

Gooey Looey

hmmm wrote: »

We're all agreed after about twenty pages that this is not a major exploit, and can move on - excellent. That was well worth it.

Has anyone been talking to people who will not install the app, and what reasons did they give?

I have a guy I work with us refusing to install it saying "I don't want to give the Irish government any data". I said "it's the HSE, they don't get any data and anyway they already have your data, it's in a folder in their medical records room, you'll have seen it each time you go to the hospital for a checkup. What info can you give them that they don't already have?"

Today I found out his smart watch is 2 minutes out of sync with mine, I'm not sure how that's possible, it takes a special type!!

eeepaulo

hmmm wrote: »

We're all agreed after about twenty pages that this is not a major exploit, and can move on - excellent. That was well worth it.

Has anyone been talking to people who will not install the app, and what reasons did they give?

Well, i was going to, then this tech genius convinced me that protecting my phone from a potential (but as yet non existent) bluetooth issue is much more important than protecting my friends, colleagues and family from a potential contact i may have in the preceeding couple of days. (threat actually exists)

Phew, close one.

hmmm

hmmm wrote: »

We're all agreed after about twenty pages that this is not a major exploit, and can move on - excellent. That was well worth it.

Has anyone been talking to people who will not install the app, and what reasons did they give?

A friend of mine hasn't gotten far too into 4chan recently and I'm genuinely worried

It's compliance training
Do you really need another app that you neurotically check out of fear of an "invisible enemy". An app is not going to save you, they might not be tracking you but they book you in for phone calls from the government if you're a suspect... all this does is feed fear imo and urges the user to comply with further governmental oversight into their private lives

Terms and conditions are always changing and information is always being "hacked" and accidentally sold... wooooops
Their reassurances are reassuring but their record is truly revealing..

I'm sure the program runs well, it's the people running it I don't trust, whether they're ignorant or nefarious makes no difference. I just don't trust them, they ran the global society well for a half a century or so but just looking at the way society has gone recently and how the wealth inequality has gone recently leads me to no longer trust them, I trust that they will continue to operate in the way they have set up their system to operate. I'm not saying the system needs to changed but sometimes the policy does.

It's compliance training, most people will give it full access, they're studying compliance of people and how they will react to greater government oversight.... Or maybe they're not, maybe I'm the only one to think of it being used this way, and maybe data isn't extremely valuable these days

It's like how they design slaughter houses to be long boring trips for the cows that they step in and out of contained boxes then they stand in the last box, completely compliant

hmmm

[Deleted User] wrote: »

A friend of mine hasn't gotten far too into 4chan recently and I'm genuinely worried

Oof that's pretty hard core conspiracy stuff. Sorry to hear that.

YellowBucket

To be quite honest, I think if you challenge a conspiracy theorist with facts, they just come up with another conspiracy theory and if you continue to challenge them, you become part of their conspiracy theory.

I tend to find it a fairly pointless exercise.

KyussB

spookwoman wrote: »

Easy to read what you are saying as an major exploit.

There are two different issues, the first is the bluetooth BlueFrag exploit, that only affects Android version below 10, not all devices (that is the major exploit, allowing code execution) - the second is the frequency of bluetooth beacon (it broadcasts repeatedly in seconds instead of the usual minutes), and how that breaks bluetooth privacy, making devices more identifiable despite the devs trying to minimize this risk (this affects all devices running the covid app - but is not a major exploit like the first - it does carry privacy concerns though).

In the quotes you list, the first 3 quotes are for the less-severe privacy issue affecting all devices - the rest of the quotes after that are for the more-severe issue affecting only a subset of Android devices.

The issue I was taking with the other poster, is that they know I was not saying the Android-only expoit affects all devices - yet were dishonestly citing me as saying that, to attack my arguments - despite me being at pains to be clear about the difference between each issue.

Gooey Looey

KyussB wrote: »

There are two different issues, the first is the bluetooth BlueFrag exploit, that only affects Android version below 10, not all devices (that is the major exploit, allowing code execution) - the second is the frequency of bluetooth beacon (it broadcasts repeatedly in seconds instead of the usual minutes), and how that breaks bluetooth privacy, making devices more identifiable despite the devs trying to minimize this risk (this affects all devices running the covid app - but is not a major exploit like the first - it does carry privacy concerns though).

In the quotes you list, the first 3 quotes are for the less-severe privacy issue affecting all devices - the rest of the quotes after that are for the more-severe issue affecting only a subset of Android devices.

The issue I was taking with the other poster, is that they know I was not saying the Android-only expoit affects all devices - yet were dishonestly citing me as saying that, to attack my arguments - despite me being at pains to be clear about the difference between each issue.

FFS give it a rest, nobody cares. Make a thread!

KyussB

robinph wrote: »

I'll retract the all if that makes you feel better.

As for your claims of 40% of Android users being vulnerable and that the majority of people don't have Bluetooth turned on, or the suggestion regarding Bluetooth drones, or the claims about it being a high risk vulnerability in the OS that is going to be used to track people I think we can see what was being said OK thanks.

I did not say 40% of android users are vulnerable - I said "up to 40% of android devices do not receive security updates", which is not the same as them being vulnerable - I did not say the Android exploit would be used to track people, you are again knowingly conflating that with a different issue that is not the same as the android exploit.

Do not cite anything from me, that you are not directly quoting - not linking to it, quoting it, and not quote-mining where you cut up sentences or leave out context...

If you can't help putting words in my mouth that I did not say, then stop replying to me. It is a waste of time for me to be replying to you, when the only purpose of that is to correct your deliberate misrepresentations of what I said - I'm already trying not to reply to you at all, and that forces me to.

robinph

So in other news that is actually relavent to the Covid app, for some of us at least, the Irish app is no longer appearing in a search for the app on the UK Google store for some reason (possibly the NI version is imminent). Although it is still possible to download the Irish app in the UK if you find the direct link to it.

Similarly the German app is now also downloadable in the UK, but can't be found from a search on the store:
https://www.bundesregierung.de/breg-de/themen/corona-warn-app

The app seems to be all in English and the method of activating the uploading of your codes in the event of a positive test seems to be possible by either scanning a QR code or entering a code like the Irish app. Guess this is to cover multiple countries methods for confirming the positive tests.

Also seems to have a way to see how many people you may have come into contact with who are using the app with an exposure logging feature. I'd be very surprised if that registers any contacts for me as nobody round here is going to be running any app. Would be interesting if it did register any exposure in Ireland though as that would show if the international apps really do work together or if we'd need to download a different one for every country in the future.

jester77

I read somewhere, can't find it now, that Apple and Google were originally limiting the search of Corona apps to just the local version. So if you are registered in the Irish play store, you will only find the irish app. Don't know if they are still doing this, but I guess it makes sense to avoid people installing the wrong app for their area.

robinph

jester77 wrote: »

I read somewhere, can't find it now, that Apple and Google were originally limiting the search of Corona apps to just the local version. So if you are registered in the Irish play store, you will only find the irish app. Don't know if they are still doing this, but I guess it makes sense to avoid people installing the wrong app for their area.

Seems that they have actually lifted the geo blocks on all apps now as the French and Australian ones are now downloadable, just the search from with the Play store which will only show local one or none in my case today. It did show the Irish one yesterday.

I had looked at the download pages for the Australia one a week or so ago and the download was blocked then.

plodder

KyussB wrote: »

I said they didn't dispute it - you can't prove a negative. You are claiming they do dispute it, something which is provable/citable - you need to quote that.

Well the link on the Mitre page says the report is "disputed", but let's look at the conversation and try and pin it down some more. It was over and back a bit. Initially, Google said there was no bug. Then they said there might be. And then they said it doesn't reduce privacy anyway. So, then the bug reporter says:

reporter wrote:

"I need you to understand the big picture. This is not a Won't Fix issue if the first app goes to a court here in Europe. I will write an agent simulation to validate my expectations..."

The google engineer then replied:

google engineer wrote:

I think the simulation won't find a statistically significant improvement in tracking ...

They also then replied that they wouldn't be making an award to the reporter under their Vulnerability Reward Program.

The reporter then seems to acknowledge that there is no statistical improvement in tracking and he seems to change the issue to be about the fact that the ExposureNotification service is doing much higher level of advertising compared to other Bluetooth services. The Google engineer acknowledges this switch and the thread goes quiet. I think they are thinking they have put more than enough time into this report already and it certainly doesn't sound to me like them accepting the issue is a vulnerability.

KyussB

plodder wrote: »

Well the link on the Mitre page says the report is "disputed", but let's look at the conversation and try and pin it down some more. It was over and back a bit. Initially, Google said there was no bug. Then they said there might be. And then they said it doesn't reduce privacy anyway. So, then the bug reporter says:

The google engineer then replied:

They also then replied that they wouldn't be making an award to the reporter under their Vulnerability Reward Program.

The reporter then seems to acknowledge that there is no statistical improvement in tracking and he seems to change the issue to be about the fact that the ExposureNotification service is doing much higher level of advertising compared to other Bluetooth services. The Google engineer acknowledges this switch and the thread goes quiet. I think they are thinking they have put more than enough time into this report already and it certainly doesn't sound to me like them accepting the issue is a vulnerability.

Yet in the discussion between Google and the security researcher, the timing issue is NOT disputed - only the MAC/UID sync issue...The simulation is for the MAC/UID issue, not the timing issue...

In the discussion he even says the timing issue is not relevant for the CVE - so the disputed status for the CVE, does not represent a dispute of the timing isuse.

So Google does not dispute the timing issue - you can not cite them as saying they do. All I have ever said, is that they don't dispute it - I did not make the claim that they accept it either. You made the claim that they dispute the timing issue though, which they do not - and you're fully aware that what you're quoting only related to the MAC/UID issue.

plodder

KyussB wrote: »

Yet in the discussion between Google and the security researcher, the timing issue is NOT disputed - only the MAC/UID sync issue...The simulation is for the MAC/UID issue, not the timing issue...

In the discussion he even says the timing issue is not relevant for the CVE - so the disputed status for the CVE, does not represent a dispute of the timing isuse.

So Google does not dispute the timing issue - you can not cite them as saying they do. All I have ever said, is that they don't dispute it - I did not make the claim that they accept it either. You made the claim that they dispute the timing issue though, which they do not - and you're fully aware that what you're quoting only related to the MAC/UID issue.

No. What happened is their initial evaluation of the issue was incorrect as they had claimed that the MAC and RPI roll over synchronously, which is not always the case. So, they opened a bug on the issue. That is the part they do not dispute.

The conversation then went on to discuss the security implications of the issue and they do not accept the issue is a security vulnerability - the point being that statistically the phones rotate both the MAC and RPI on average every 15 minutes and the tracking protection is equivalent.

I realise this conversation is way out of scope for this thread. So, I'd ask you again to point out where in the conversation (that you posted) did Google accept that the issue is a vulnerability. Don't reply with "can't prove a negative". It's either in the conversation or it isn't. Either do that or just drop it and come back if further information comes to light which shows they do accept it. I think we should keep technical talk out of this. The only thing potentially interesting to other people would be whether Google accept it's a vulnerability (or maybe if some respected third party thinks it is).

It may technically be a bug, because the code is doing something different to what the specification said it should do. But, (they say) it is not a security issue. My guess is that they will not fix it because they don't need to. And that is the reason why we aren't hearing all about it in the media.

KyussB

I've repeated to you several times: The MAC/RPI issue, is not the timing issue. They do not dispute the timing issue (which is down to the frequency that the beacon advertises), which applies regardless of the MAC/RPI switchover sync.

Read the last few emails in the link.

Google did not reject the timing issue. I did not say they accept the timing issue, I said they did not reject it. You say they reject the timing issue, but you pont to the MAC/RPI issue, which is not the same.

Before you reply again: Do you understand the difference between the MAC/RPI sync issue, and the separate beacon advertising frequency timing issue?

robinph

Before you reply again, do you understand the difference between something that is a problem and something that isn't a problem?

For example, it is a problem if people don't download the Covid tracking app in sufficient numbers to make it useful in tracking the spread in public areas and helping to limit its spread. It isn't a problem if in downloading the app and Google/ Apple enabling its functionality a very small number of peoples phones might theoretically be vulnerable to a hack that nobody has actually ever made use of due to a minor bug in a system that has been in existence for long before this app came out.

plodder

Anyone who wants to can see the CVE from this link at nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2020-13702

The very first word of the report is ** DISPUTED **

I don't think there is much else to be said about it, at this point.

Tokyo

KyussB wrote: »

Before you reply again: Do you understand the difference between the MAC/RPI sync issue, and the separate beacon advertising frequency timing issue?

Mod: I do.

I also know it's not a current affair. Let's save the standards breakdown for a more appropriate forum.