SoylentNews

Locked iPhones Rendered Almost Useless in Australia's COVIDSafe Tracking Efforts

posted by Fnord666 on Tuesday June 16 2020, @10:23AM   
from the defeats-the-purpose dept.

upstart writes in with an IRC submission:

Locked iPhones rendered almost useless in Australia's COVIDSafe tracking efforts:

Software engineer Richard Nelson, who was part of a team of researchers that found other bugs in COVIDSafe, has detailed a bug affecting iPhone users, rendering their device basically useless when it comes to tracking efforts.

A locked iPhone with an expired ID cannot generate a new ID. Without an ID, Nelson said the device will record other devices around it, but cannot be recorded by others.

"A device in this state will record other people around it, but will not be recorded by others. If all relevant devices are in this state, no encounters are logged," he wrote.

"One could imagine Alice packing her bag, putting her iPhone in and going out for the day to a football game. With her device in this state, nobody else will record her presence, and if anyone around her tested positive she would not be contacted."

[...] Nelson told ZDNet that if the iPhone user was to unlock their phone, but not necessarily open the COVIDSafe app, a new ID would be fetched.

"If Alice's device was locked and had an expired token, and Alice then unlocks her device to check email, for example, and if Bob's device then scans and picks up Alice's device, Bob will be able to read Alice's ID," Nelson added.

But if the device is locked again first, it won't be read.

---

Original Submission

• Re:Ma Nishtana? (Score: 0) by Anonymous Coward on Tuesday June 16 2020, @09:43PM

  by Anonymous Coward on Tuesday June 16 2020, @09:43PM (#1008858)

  I like having a device in my pocket that makes calls and can look up information. I don't want to live behind shuttered windows, and to only do cash-in-hand jobs simply to hide from The Man.

  AC you replied to here. I agree. I do carry my phone (a smartphone -- powered on) with me most of the time myself. I even have (*gasp*) bank accounts and credit cards.

  I do so because it makes a big difference in convenience. I will say that I disable GPS and location tracking on my phone, have an email address not directly associated with me configured on my phone, don't *ever* use that email address, and use cash for some purchases as well.

  It's not perfect. Hell, it's not even good. But I am cognizant of the issues and have accepted that there are trade-offs betgween security and convenience.

  And I do so with the full knowledge that my bank and my cell provider have detailed information about what I buy and where I go. I accept that trade-off, well aware that should the government wish to obtain that information, they can do so [wikipedia.org].

  Better to complain than to remain silent - especially at times like these when people are more receptive to arguments.

  But it's not the government that's doing the tracking I mentioned, even though (at least in the US) they have access to that data with a warrant (Third-party Doctrine, as I mentioned). My point wasn't that people shouldn't complain, my point was that if you wish to have privacy, especially in this day and age, you need to *proactively* protect it yourself.

  A person complaining that others should be responsible for their privacy is pretty dumb IMHO.

  Too many people aren't concerned and don't even think about the fact that they are *already* being tracked.

  And when they install all manner of insecure apps and store boatloads of sensitive information on their device, they think nothing of it.

  So when folks complain about some new shiny (in this case the contact tracing app) and scream bloody murder that someone is tracking them, it makes pretty much *no* sense at all.

  That's what makes me sick. My apologies if I wasn't clearer in my initial post.

  Parent