Stories
Slash Boxes
Comments

SoylentNews is people

Locked iPhones Rendered Almost Useless in Australia's COVIDSafe Tracking Efforts

posted by Fnord666 on Tuesday June 16 2020, @10:23AM   Printer-friendly
from the defeats-the-purpose dept.

upstart writes in with an IRC submission:

Locked iPhones rendered almost useless in Australia's COVIDSafe tracking efforts:

Software engineer Richard Nelson, who was part of a team of researchers that found other bugs in COVIDSafe, has detailed a bug affecting iPhone users, rendering their device basically useless when it comes to tracking efforts.

A locked iPhone with an expired ID cannot generate a new ID. Without an ID, Nelson said the device will record other devices around it, but cannot be recorded by others.

"A device in this state will record other people around it, but will not be recorded by others. If all relevant devices are in this state, no encounters are logged," he wrote.

"One could imagine Alice packing her bag, putting her iPhone in and going out for the day to a football game. With her device in this state, nobody else will record her presence, and if anyone around her tested positive she would not be contacted."

[...] Nelson told ZDNet that if the iPhone user was to unlock their phone, but not necessarily open the COVIDSafe app, a new ID would be fetched.

"If Alice's device was locked and had an expired token, and Alice then unlocks her device to check email, for example, and if Bob's device then scans and picks up Alice's device, Bob will be able to read Alice's ID," Nelson added.

But if the device is locked again first, it won't be read.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Locked iPhones Rendered Almost Useless in Australia's COVIDSafe Tracking Efforts | Log In/Create an Account | Top | 55 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by lentilla on Tuesday June 16 2020, @02:30PM (2 children)

    by lentilla (1770) on Tuesday June 16 2020, @02:30PM (#1008646)

    No, I suspect the programmers were trying to do the right thing - they just came unstuck when the API behaved in an unexpected way. Every smart programmer knows not to roll their own cryptography, so (and this is pure conjecture here) they tried to use a crypto-API to generate a properly salted hash (the TempID). Unfortunately, Apple's version refuses to work when the phone is locked (an easily defensible, smart design decision). Unfortunately for all concerned, the functional tests didn't cover that edge case.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 3, Funny) by FatPhil on Tuesday June 16 2020, @03:42PM (1 child)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Tuesday June 16 2020, @03:42PM (#1008688) Homepage
    When "being locked" is an edge case, then these damned youngsters are on their phones too much!
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

    • (Score: 1, Insightful) by Anonymous Coward on Tuesday June 16 2020, @07:55PM

      by Anonymous Coward on Tuesday June 16 2020, @07:55PM (#1008821)

      Being pinged, while locked, and having an expired session ID.

      Not saying it shouldn't have been caught by test, but don't pretend it is JUST about being locked.