Sunday, February 28, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

DTA fixed COVIDSafe Bluetooth vulnerability 21 days after it was notified

June 21, 2020
in Internet Security
DTA fixed COVIDSafe Bluetooth vulnerability 21 days after it was notified
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Australian researchers have published findings that poke further holes into the federal government’s coronavirus contact tracing app COVIDSafe.

Jim Mussared from George Robotics and Alwen Tiu from the Australian National University have highlighted a “silent pairing issue” in Bluetooth-based contact tracing apps, this time on Android.

You might also like

These four new hacking groups are targeting critical infrastructure, warns security company

Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill

TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit

“This vulnerability allows an attacker to bond silently with an Android phone running a vulnerable version of the app. The bonding process involves exchanges of permanent identifiers of the victim phone: The identity address of the Bluetooth device in the phone and a cryptographic key called Identity Resolving Key (IRK). Either one of these identifiers can be used for long term tracking of the phone,” they wrote.

Explaining the pair’s findings, Mussared on Friday said the issue allows an attacker to silently pair with a user’s phone while it’s running COVIDSafe.

“Once paired, this allows them to permanently track the phone, even after COVIDSafe is uninstalled and even if the phone is factory reset. The way it does this is by exposing the Bluetooth MAC address, which will respond to L2CAP pings,” he added in a tweet.

“Normally you only see a phone’s ‘random’ Resolvable Private Address, which changes on a regular interval, where the identity address that pairing exposes is fixed for the lifetime of the phone. But what else can you do with a phone’s identity MAC address?”

The issue was reported to the Digital Transformation Agency (DTA) 45 days ago and was fixed in COVIDSafe 1.0.18 release — 24 days ago.

“It’s *really* great that the DTA was able to find a workaround for this, however my concern is that the design of COVIDSafe necessarily depends on using Bluetooth in a way that it was not designed to — namely connecting to any untrusted device that happens to be in range,” he explained.

“This issue was a consequence of not using the Apple/Google Exposure Notification API. If the EN API had been used instead, we’d have a more functional, more reliable, and more secure & trustworthy app,” he also tweeted.

While the local version is fixed, the vulnerability may affect several other contact tracing apps that share a similar architecture, such as Singapore’s TraceTogether and Alberta’s ABTraceTogether, the pair said.

Overnight, the United Kingdom decided to ditch its own contract-tracing app, and would instead rely on the Google and Apple APIs.

“While it does not yet present a viable solution, at this stage an app based on the Google/Apple API appears most likely to address some of the specific limitations identified through our field testing,” the UK Department for Health and Social Care said.

“However, there is still more work to do on the Google/Apple solution which does not currently estimate distance in the way required.”

Earlier this week, it was revealed the DTA knew that COVIDSafe had severe flaws, despite sending it out for public use on 26 April 2020.

Documents published by the agency showed that Bluetooth encounter logging tests conducted on the day of the app going live showed locked iPhones, an iPhone X to iPhone 6 specifically, were transmitting data at a “poor” rating — 25% or below.

It followed software engineer Richard Nelson publishing research that showed locked iPhones were practically useless when it came to logging encounters through COVIDSafe.

He said a locked iPhone with an expired ID could not generate a new ID and that, without an ID, the device would record other devices around it, but it could not be recorded by others.

“A device in this state will record other people around it, but will not be recorded by others. If all relevant devices are in this state, no encounters are logged,” he wrote.

“One could imagine Alice packing her bag, putting her iPhone in, and going out for the day to a football game. With her device in this state, nobody else will record her presence, and if anyone around her tested positive she would not be contacted.”

The DTA said in May that functional and performance testing was conducted for the Apple iOS and Google Android versions of the COVIDSafe App prior to release.

It said 179 functional tests were conducted, including Bluetooth encounters between various device types, in various states, including the phone being locked and unlocked, and the application being open and not open.

“All tests satisfied the baseline design requirements,” the DTA said. “Performance tests were also conducted against the technical requirements.”

The DTA previously told ZDNet it continues to welcome feedback on COVIDSafe from the developer community, with previous feedback helping the DTA to improve the app.

“The DTA will continue to release updates to the COVIDSafe app to deliver a range of performance, security, and accessibility improvements as required,” it said. “The Australian community can have confidence the app is working securely and effectively, despite the lack of community transmission of COVID-19.

As of Friday 12 June 2020, over 6.3 million Australians have downloaded the app.

Elsewhere, Germany’s “Corona-Warn” app touted 6.5 million downloads registered in 24 hours — about 7.8% of the country’s population.

MORE ON COVIDSAFE


Credit: Zdnet

Previous Post

Skymind passionate in making Malaysia 'AI Nation' - New Straits Times

Next Post

Health tech startups use deep tech to contain covid-19 spread

Related Posts

These four new hacking groups are targeting critical infrastructure, warns security company
Internet Security

These four new hacking groups are targeting critical infrastructure, warns security company

February 28, 2021
Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill
Internet Security

Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill

February 28, 2021
TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit
Internet Security

TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit

February 28, 2021
Cybercrime groups are selling their hacking skills. Some countries are buying
Internet Security

Cybercrime groups are selling their hacking skills. Some countries are buying

February 28, 2021
Why would you ever trust Amazon’s Alexa after this?
Internet Security

Why would you ever trust Amazon’s Alexa after this?

February 28, 2021
Next Post
Health tech startups use deep tech to contain covid-19 spread

Health tech startups use deep tech to contain covid-19 spread

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

These four new hacking groups are targeting critical infrastructure, warns security company
Internet Security

These four new hacking groups are targeting critical infrastructure, warns security company

February 28, 2021
The Time-Series Ecosystem – Data Science Central
Data Science

The Time-Series Ecosystem – Data Science Central

February 28, 2021
Accurate classification of COVID‐19 patients with different severity via machine learning – Sun – 2021 – Clinical and Translational Medicine
Machine Learning

Accurate classification of COVID‐19 patients with different severity via machine learning – Sun – 2021 – Clinical and Translational Medicine

February 28, 2021
Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill
Internet Security

Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill

February 28, 2021
Top Master’s Programs In Machine Learning In The US
Machine Learning

Top Master’s Programs In Machine Learning In The US

February 28, 2021
TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit
Internet Security

TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit

February 28, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • These four new hacking groups are targeting critical infrastructure, warns security company February 28, 2021
  • The Time-Series Ecosystem – Data Science Central February 28, 2021
  • Accurate classification of COVID‐19 patients with different severity via machine learning – Sun – 2021 – Clinical and Translational Medicine February 28, 2021
  • Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill February 28, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates