Recently, both Apple and Google released new updates for iPhone and Android devices. One feature that was added was “Covid-19 Exposure Logging.” The feature is off (for now), and according to the text that accompanies the app, when turned on, it is set to communicate via Bluetooth to other devices.

iphone COVID Logging App screenshot
iPhone

 

Android COVID Logging App screenshot
Android

 

My initial response was that we are once again reminded that we truly do not fully “own” our technology, and as long as we want to participate in the always-on community, we are a component of the efficient functioning of the overall product. It is somewhat ingenious and covertly sinister to use Bluetooth as the communication mechanism. Contrary to the advice of some security folks, so many people have fitness trackers, headphones and smartwatches connected at all times that it would be impractical to turn Bluetooth off.

One has to wonder about the timing and proximity mechanisms that would trigger an alert. For example, if you are stuck in a car in a traffic jam or at a long traffic light, will the closeness of another car qualify as an “exposure event”? How about if you are on a slow-moving train and another train slowly passes in the opposite direction? (Welcome to rush-hour in the big city!) Social distance rules dictate a six-foot safety gap, yet Bluetooth version 1 functions at a thirty-three-foot range, and newer versions exceed that distance. Like all things Covid-related, it seems that we are building the airplane as we fly it.

Here at Tripwire, we love our community of InfoSec experts, and we are always open to other ideas, and this one, in particular, piqued our curiosity. While we understand the need to control the spread of this pandemic, our security mindset was raised to a new level. (Read more...)