Hackaday Podcast 083: Soooo Many Custom Peripherals, Leaving Bluetooth Footprints, And A Twirlybird On Mars

Hackaday editors Mike Szczys and Elliot Williams ogle the greatest hacks from the past 168 hours. Did you know that Mars Rover didn’t get launched into space all alone? Nestled in it’s underbelly is a two-prop helicopter that’s a fascinating study in engineering for a different world. Fingerprinting audio files isn’t a special trick reserved for Shazam, you can do it just as easily with an ESP32. A flaw in the way Bluetooth COVID tracing frameworks chirp out their anonymized hashes means they’re not as perfectly anonymized as planned. And you’re going to love these cool ways to misuse items from those massive parts catalogs.

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (~65 MB)

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 083: Soooo Many Custom Peripherals, Leaving Bluetooth Footprints, And A Twirlybird On Mars”

COVID-tracing Framework Privacy Busted By Bluetooth

[Serge Vaudenay] and [Martin Vuagnoux] released a video yesterday documenting a privacy-breaking flaw in the Apple/Google COVID-tracing framework, and they’re calling the attack “Little Thumb” after a French children’s story in which a child drops pebbles to be able to retrace his steps. But unlike Hänsel and Gretl with the breadcrumbs, the goal of a privacy preserving framework is to prevent periodic waypoints from allowing you to follow anyone’s phone around. (Video embedded below.)

The Apple/Google framework is, in theory, quite sound. For instance, the system broadcasts hashed, rolling IDs that prevent tracing an individual phone for more than fifteen minutes. And since Bluetooth LE has a unique numeric address for each phone, like a MAC address in other networks, they even thought of changing the Bluetooth address in lock-step to foil would-be trackers. And there’s no difference between theory and practice, in theory.

In practice, [Serge] and [Martin] found that a slight difference in timing between changing the Bluetooth BD_ADDR and changing the COVID-tracing framework’s rolling proximity IDs can create what they are calling “pebbles”: an overlap where the rolling ID has updated but the Bluetooth ID hasn’t yet. Logging these allows one to associate rolling IDs over time. A large network of Bluetooth listeners could then trace people’s movements and possibly attach identities to chains of rolling IDs, breaking one of the framework’s privacy guarantees.

This timing issue only affects some phones, about half of the set that they tested. And of course, it’s only creating a problem for privacy within Bluetooth LE range. But for a system that’s otherwise so well thought out in principle, it’s a flaw that needs fixing.

Why didn’t the researchers submit a patch? They can’t. The Apple/Google code is mostly closed-source, in contrast to the open-source nature of most of the apps that are running on it. This remains troubling, precisely because the difference between the solid theory and the real practice lies exactly in those lines of uninspectable code, and leaves all apps that build upon them vulnerable without any recourse other than “trust us”. We encourage Apple and Google to make the entirety of their COVID framework code open. Bugs would then get found and fixed, faster.

Continue reading “COVID-tracing Framework Privacy Busted By Bluetooth”

COVID Tracing Apps: What Europe Has Done Right, And Wrong

Europe has been in COVID-containment mode for the last month, in contrast to the prior three months of serious lockdown. Kids went back to school, in shifts, and people went on vacation to countries with similarly low infection rates. Legoland and the zoo opened back up, capped at 1/3 capacity. Hardware stores and post offices are running “normally” once you’ve accommodated mandatory masks and 1.5 meter separations while standing in line as “normal”. To make up for the fact that half of the tables have to be left empty, most restaurants have sprawled out onto their terraces. It’s not really normal, but it’s also no longer horrible.

But even a country that’s doing very well like Germany, where I live, has a few hundred to a thousand new cases per day. If these are left to spread unchecked as before, the possibility of a second wave is very real, hence the mask-and-distance routine. The various European COVID-tracing apps were rolled out with this backdrop of a looming pandemic that’s tenuously under control. While nobody expects the apps to replace public distancing, they also stand to help if they can catch new and asymptomatic cases before they get passed on.

When Google and Apple introduced their frameworks for tracing apps, I took a technical look at them. My conclusion was that the infrastructure was sound, but that the implementation details would be where all of the dragons lay in wait. Not surprisingly, I was right!

Here’s an update on what’s happened in the first month of Europe’s experience with COVID-tracing apps. The good news is that the apps seem to be well written and based on the aforementioned solid foundation. Many, many people have installed at least one of the apps, and despite some quite serious growing pains, they seem to be mostly functioning as they should. The bad news is that, due to its privacy-preserving nature, nobody knows how many people have received warnings, or what effect, if any, the app is having on the infection rate. You certainly can’t see an “app effect” in the new daily cases rate. After a month of hard coding work and extreme public goodwill, it may be that cellphone apps just aren’t the panacea some had hoped.

Continue reading “COVID Tracing Apps: What Europe Has Done Right, And Wrong”