Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday August 21 2020, @01:57PM   Printer-friendly
from the eye-see-you dept.

College contact-tracing app readily leaked personal data, report finds:

In an attempt to mitigate the potential spread of COVID-19, one Michigan college is requiring all students to install an app that will track their live locations at all times. Unfortunately, researchers have already found two major vulnerabilities in the app that can expose students' personal and health data.

Albion College informed students two weeks before the start of the fall term that they would be required to install and run the contact tracing app, called Aura.

[...] Aura, however, goes all in on real-time location-tracking instead, as TechCrunch reports. The app collects students' names, location, and COVID-19 status, then generates a QR code containing that information.

[...] TechCrunch used a network analysis tool to discover that the code was not generated on a device but rather on a hidden Aura website—and that TechCrunch could then easily change the account number in the URL to generate new QR codes for other accounts and receive access to other individuals' personal data.

A student at Albion, looking into the app's source code, also found hard-coded security keys for the app's backend servers. A researcher took a look and verified that those keys gave access to "patient data, including COVID-19 test results with names, addresses, and dates of birth," TechCrunch reports.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by slinches on Friday August 21 2020, @06:10PM (13 children)

    by slinches (5049) on Friday August 21 2020, @06:10PM (#1040010)

    It does require location data if it's going to be effective. Not everyone (likely far less than 50%) will have the app and potential infection risk to/from the majority who don't cannot be identified unless there's time and location data to tie it to other tracing/tracking systems.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Friday August 21 2020, @06:50PM (1 child)

    by Anonymous Coward on Friday August 21 2020, @06:50PM (#1040034)

    What? No! It requires proximity data and universal cellphone ownership, NOT location data! Network interactions don't give a fuck if your covid party is on a boat, downtown, or in a field. They care about who's in the interaction. Midrange bluetooth, for example, probably would suffice; ultrasonic would suffice; common WiFi or functions thereof could suffice.

    • (Score: 2) by c0lo on Friday August 21 2020, @07:49PM

      by c0lo (156) Subscriber Badge on Friday August 21 2020, @07:49PM (#1040066) Journal

      It requires proximity data and universal cellphone ownership, NOT location data!

      FTFY
      One can see benefits starting from about 40% of the population using it.
      Paradoxically, if all the population is using it, the rate of false positives generated may actually be damaging by overflowing the capacity of testing.

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
  • (Score: 2) by c0lo on Friday August 21 2020, @07:10PM (10 children)

    by c0lo (156) Subscriber Badge on Friday August 21 2020, @07:10PM (#1040042) Journal

    It does require location data if it's going to be effective.

    No, it doesn't. The GPS precision for civilian application is 4.7m in the best conditions, 7.8m with 95% confidence. When indoors - where actually contact matters a lot more than outside - the GPS goes down and the best one can do is to triangulate on radio-towers; with heaps of reflections and attenuations while indoors, good luck getting it with better accuracy than 20m.
    Even more, not everybody has location tracking enabled (mine is globally disabled most of the time) - heck, not everybody has the application installed or carry a smartphone.

    Contact tracing is based on bluetooth - low emission power, typical range at 10m, most of the time the signal is gone at 20m. The strength of the signal is a good-enough indication of the proximity. That's how Androids and iOS-es record "contact" - two mobiles see each other by bluetooth for longer than X minutes.

    ---

    Besides, nobody say contact tracing is a silver bullet, only that it helps. It will have a good amount of errors, both false negative (e.g you get infected from a surface touched by the carrier 30mins ago) and false positive (e.g. you can safely stay at a 0.5m distance from the carrier for days on end just because there's a plaster wall between you two - think quarantine hotel rooms).

    Like also wearing a mask helps, even it's not a 100% guarantee; but a bit of reduction here, another there and so the Re gets subunitary.

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    • (Score: 0, Disagree) by Anonymous Coward on Friday August 21 2020, @07:21PM (8 children)

      by Anonymous Coward on Friday August 21 2020, @07:21PM (#1040050)

      At best you just drag out the epidemic.
      It's already over in Sweden: herd immunity has pretty much been achieved now.
      Let the frail and elderly be protected from the virus and all others (including adults) live their lives as they see fit. This virus is no different than all the others. It will burn itself out. The data shows it already is.

      • (Score: 2) by c0lo on Friday August 21 2020, @07:36PM

        by c0lo (156) Subscriber Badge on Friday August 21 2020, @07:36PM (#1040060) Journal

        At best you just drag out the epidemic.

        You mean save tens/hundred of thousands of lives, until effective vaccines/medication get on the market.

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 1, Informative) by Anonymous Coward on Saturday August 22 2020, @03:39PM (6 children)

        by Anonymous Coward on Saturday August 22 2020, @03:39PM (#1040423)

        It's already over in Sweden: herd immunity has pretty much been achieved now.

        Why are idiots like you too stupid to actually google things and find out?

        https://covid19-country-overviews.ecdc.europa.eu/#33_sweden [europa.eu]

        The 2 week covid rates are notching up again. They are already at up to 50/100,000 which is enough to trigger travel warnings from the sane countries. 50+ means "outbreak". And Sweden has had public gathering cancellations and remote working for MONTHS.

        https://www.reuters.com/article/us-health-coronavirus-sweden-toll/coronavirus-pushes-swedish-deaths-to-highest-since-1993-in-april-idUSKBN22U1S4 [reuters.com]

        next mark for Sweden is 1918 flu deaths. yay!!

        https://medicalxpress.com/news/2020-08-covid-herd-immunity-sweden-materialize.html [medicalxpress.com]

        The health authorities predicted that 40% of the Stockholm population would have had the disease and acquired antibodies by May 2020. However, the actual prevalence figure was around 15%. While clinical and research findings suggest that severely infected COVID-19 patients do acquire antibodies in the immediate and early recovery phase of their illness, antibodies are much less commonly found in only mildly ill or asymptomatic patients. This means they are very likely not to be immune, and so cannot act as a bulwark against further spread of infection amongst the community.

        • (Score: 0) by Anonymous Coward on Saturday August 22 2020, @04:05PM (5 children)

          by Anonymous Coward on Saturday August 22 2020, @04:05PM (#1040432)

          Yeah, I saw the Swedish public health agency announced 5 persons died last week. 20 the week before.

          If that isn't justification to keep us all locked down, what is?

          I understand that governments want to push the propaganda that their imprisoning the healthy population was somehow the right thing to do, even given Sweden's experience. I don't understand how some Joe sitting at home can cheerlead for that. Perhaps you are living well on your government check?

          • (Score: 1, Insightful) by Anonymous Coward on Saturday August 22 2020, @04:54PM (2 children)

            by Anonymous Coward on Saturday August 22 2020, @04:54PM (#1040449)

            "Better safe than sorry" is a philosophy that very many people espouse. Macho man "who gives a fuck about less than a percent mortality" only appeals to those without family or loved ones.

            • (Score: 0) by Anonymous Coward on Tuesday August 25 2020, @05:03PM (1 child)

              by Anonymous Coward on Tuesday August 25 2020, @05:03PM (#1041702)

              You can only live that philosophy if someone is paying you to live for free.

              • (Score: 2) by acid andy on Tuesday August 25 2020, @05:32PM

                by acid andy (1683) on Tuesday August 25 2020, @05:32PM (#1041713) Homepage Journal

                Not if you're living on money you earned. Some people are lucky enough to work from home.

                --
                If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
          • (Score: 2) by acid andy on Saturday August 22 2020, @10:58PM (1 child)

            by acid andy (1683) on Saturday August 22 2020, @10:58PM (#1040546) Homepage Journal

            You're assuming there are no serious longer term effects on the healthy population that are infected and recover, such as shortened life expectancy. No-one knows that yet.

            --
            If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
            • (Score: 0) by Anonymous Coward on Tuesday August 25 2020, @05:05PM

              by Anonymous Coward on Tuesday August 25 2020, @05:05PM (#1041703)

              We don't know yet if the sun is going to explode tomorrow.

              And Sweden has so far not yet called for attention to any supposed Covid cripples.

    • (Score: 2) by slinches on Friday August 21 2020, @08:17PM

      by slinches (5049) on Friday August 21 2020, @08:17PM (#1040074)

      The bluetooth proximity detection system is only effective if enough people use it. I don't know the market penetration rate in the US now, but I suspect it's in the low single digits. At that rate it's almost entirely useless and I don't see it picking up unless it's forced on people.

      The way to make the system effective with such a low utilization would be to combine both bluetooth proximity and location tracking to identify the group settings where transmission occurred. Then people who were there, but don't/can't use the tracking app would still be able to determine exposures by monitoring public notices. Either way, you're not going to get widespread voluntary participation so you might as well take the most advantage of the data from those who don't mind being tracked.