[LINK] COVIDSafe update closes denial of service bug and makes notifications optional

[Bernard Robertson-Dunn]

[Why did the government release what is obviously a beta version

[well before the legislation had passed parliament?

[And why is the Defence Minister making statements?

[The contradictions and walk-backs are starting to look a lot

[like Boris Johnsons' bumblings

COVIDSafe update closes denial of service bug and makes notifications
optional
https://www.zdnet.com/article/covidsafe-update-closes-denial-of-service-bug-and-makes-notifications-optional/

By Chris Duckett
May 14, 2020

Defence Minister has also confirmed that the number of Australians with
the app will not impact decisions to lift restrictions.

The Australian government has pushed out an update to its COVIDSafe app
that removes a number of security and privacy issues.

Prime among them is the denial of service attack possible on iOS
devices, as demonstrated by Richard Nelson in a blog post.

When devices running the app encountered a device advertising a
malformed Bluetooth manufacturer identifier, the app would repeatedly
crash until it was out of range of the attacker and restarted.

"This is a fairly obvious bug that should have been picked up in an
automated scan and/or an in-depth security review," Nelson wrote.

When the source code for the app landed last week, other obvious errors
such as an enumeration of states, not including Tasmania, were also found.

Nelson pointed out that the model used by governments around the world
to build their respective apps has not lent itself to solving the sorts
of problems he identified in an easy way.

"It seems as though (I could be corrected on this) each government
received a code drop of OpenTrace at some point in time, and from there
on there was little to no communication," he said.

"There's no central repository they all build upon, no process for
communicating bugs up or downstream, and in fact no security contacts
that I could find at all."

Australia's Digital Transformation Agency (DTA) was the only body to
respond to Nelson, whom he praised.

"As much as was my wish, it seemed impossible to coordinate disclosure
between all affected entities. And there could be more affected
applications that I just don't know about," he said.

Nelson's response was much better than the one Jim Mussared experienced
with the DTA.

Mussared tweeted that the latest update has fixed a pair of tracking
issues, and the DTA was working on another batch of issues.

The update notes for COVIDSafe in the Google Play Store state it has
improved "Bluetooth security and connectivity" and that the push
notifications the app, much to the user's chargin, are now optional.

Yesterday, the legislation around the app cleared Parliament, with
Defence Minister Marise Payne stating that the number of downloads of
the app would not be considered when lifting any restrictions related to
the coronavirus pandemic.

"The approach to easing of restrictions, as you will have seen through
the national cabinet process, is based on the health advice that's
received," Senator Payne said.

"And the states and territories -- your state, my state; quite different
in their approaches -- are using that as the premise, not based on the
number of people who have downloaded the app."

The admission is a contradiction of the sort of pronouncements Prime
Minister Scott Morrison had made at the start of month, who said
downloads of the app would be tied to the ability for Australians to go
back to pubs.

"The first step to getting back to that is downloading COVIDSafe,"
Morrison said in direct response to being asked when Australians could
go back to the pub on May 1.

"Now, if that isn't an incentive for Australians to download COVIDSafe
on a Friday, I don't know what is … I encourage them if they're talking
to each other on Zoom, or they're having a cold one later on today in
that environment, if they're looking forward to doing it in a pub, well,
that is a prerequisite to even getting to that conversation."

In spite of COVIDSafe downloads not being tied to decisions related to
lifting restrictions, Payne continued to encourage Australians to
download the app on Wednesday.

"The endeavour to put in place an app of this nature and to encourage
Australians to take up using the app, to download it, is an important
part of the pathway out of the most onerous aspects of the COVID-19
restrictions that have been put in place," she said.

"We know ... that the contact tracing process is extraordinarily
intensive for health authorities. Any mechanism which assists with that
process is invaluable in delivering the outcomes we need, to make sure
that if there is an issue, if there is an outbreak, all of the
contingencies that we need to be planning for, across states and
territories and through the national cabinet and the Commonwealth
government -- if there is a need to do that major contact tracing, we
have a better facilitated process for that."

The Defence Minister added that the lifting of restrictions was a
complex process that has been addressed in a "very deliberate" way.

"The app will provide that, but the number of downloads is not
conditional, in terms of the lifting of restrictions," Payne said.

"I think what the Prime Minister and other ministers have been very
clear about is how important that is to the progress and process of
moving out of the most extreme of the restrictions that we have had to
deal with."

Last week the Department of Health revealed it had no target for
downloads of the app.


-- 

Regards
brd

Bernard Robertson-Dunn
Canberra Australia
email: brd at iimetro.com.au