The COVIDSafe App - 4 week update
https://docs.google.com/document/d/17sVyBIG5CqhF9XtuEfeG2MfYsFNXuV4yxp3BERDTJoI/edit?usp=drivesdk
Jim Mussared
jim.mussa...@gmail.com
https://twitter.com/jim_mussared
Eleanor McMurtry
eleanor.em...@gmail.com
https://twitter.com/noneuclideangrl
with contributions from Vanessa Teague,, and Richard Nelson and Geoffrey
Huntley..
This document is released under the (The Creative Commons
Attribution–ShareAlike License) CC-BY-SA.
Last updated: 25/05/2020
Status: Public
https://covidsafe.watch/ tech community. (snip)
Summary of outstanding issues
There are seven main issues that have not been resolved:
# Persistent, long-term tracking of devices, even after the app is uninstalled
(registered as CVE-2020-12586).
This was raised (by Alwen Tiu & Jim Mussared) on 05/05/2020.
This issue also allows other denial-of-service and privacy-related attacks
(details not yet public).
This is a far more serious issue than any of the previous issues. It is not
clear how the DTA plans to fix or mitigate it, nor has there been any
communication of a planned fix date.
See more details below.
# TempID rotation is still broken on iPhone, allowing re-identification of
devices and encounters not being recorded.
This was first described by Chris Culnane, Eleanor McMurtry, Robert Merkel and
Vanessa Teague on 27/04/2020.
The root cause was discovered and reported (by Yaakov Smith, Hubert Siewert,
and Jim Mussared) with a suggested fix on 21/05/2020.
There are other issues relating to the way TempID expiry works that were raised
(by Yaakov Smith) on 17/05/2020.
It’s very important that expired TempIDs are not used, as this will lead to
encounters that should be marked invalid by the server, reducing the
effectiveness of this app at contact tracing
When asked when the privacy breach would be resolved the response was
non-committal and did not prioritise resolving the privacy breach..
# The phone model name (e.g. “Samsung Galaxy G8”) and device name (e.g. “Jim’s
Pixel 2”) is available to any device in range, allowing for device
re-identification and tracking.
This was raised (by Jim Mussared) on 27/05/2020. The fix is to update the
privacy policy and to expedite the move to the Apple/Google Exposure
Notification API.
# The source code for the server is not available, and none of the cryptography
can be verified to be compliant with the privacy policy.
The privacy policy is effectively useless without a way to verify how the data
is being managed. This is different to a regular Government use of private data
where the data is hosted in government data centres. In COVIDSafe, the
encrypted tokens are being stored on peoples phones and transmitted over radio.
There have been several instances of State Governments using insecure
cryptography that were discovered by source code analysis. See e.g. “The New
South Wales iVote System: Security Failures and Verification Flaws in a Live
Online Election” (J. Halderman & V. Teague, 2015) and “How Not to Prove Your
Election Outcome” (T. Haines, S. J. Lewis, O. Pereira & V. Teague, 2020).
See also “The missing server code, and why it matters” (Robert Merkel, Eleanor
McMurtry, and Vanessa Teague).
# TempID rotation (when working correctly) is set to use a 2-hour expiry time.
This is too long, and is far longer than Singapore’s TraceTogether app which
uses a 15-minute expiry time.
See “Tracing the challenges of COVIDSafe” (Chris Culnane, Eleanor McMurtry,
Robert Merkel and Vanessa Teague).
# The distance measurement as implemented by COVIDSafe does not work, making
the claimed “1.5 metres for 15 minutes” criterion used for contact tracing
meaningless.
Furthermore, many users have been led to believe that the app only stores
encounters that match these criteria. In reality, the app stores all the
encounters it sees, and any filtering is done on the server after the app
uploads its contacts.
See “Coronavirus Contact Tracing: Evaluating The Potential Of Using Bluetooth
Received Signal Strength For Proximity Detection” (D. J. Leith, S. Farrell,
2020). More information at The Intercept, and the author’s own experiments.
# There have been a number of different reports of this app interacting poorly
with other Bluetooth-based apps.
Notably, this includes continuous glucose monitoring products, leading to
missed alarms; see e.g.
https://www.diabetes.co.uk/news/2020/apr/australian-covid-19-tracker-app-could-interfere-with-cgm-devices.html.
These reports started from the first day after launch (see Apple App Store
reviews and Google App Store reviews) and seem to have gotten more prevalent
from iPhone users since the background-mode behavior was fixed.
There have been tweets from official accounts claiming that the app attempts to
work around these issues but no evidence of this has been found during analysis
of the source code, nor is there any evidence of any fixes being made.
__
