[LINK] Privacy unresolved in the COVIDSafe digital contact tracing application

Stephen Loosley StephenLoosley at outlook.com
Mon May 25 16:11:40 AEST 2020


The COVIDSafe App - 4 week update

https://docs.google.com/document/d/17sVyBIG5CqhF9XtuEfeG2MfYsFNXuV4yxp3BERDTJoI/edit?usp=drivesdk

Jim Mussared
jim.mussared at gmail.com
https://twitter.com/jim_mussared

Eleanor McMurtry
eleanor.em.cs at gmail.com
https://twitter.com/noneuclideangrl

with contributions from Vanessa Teague,, and Richard Nelson and Geoffrey Huntley..

This document is released under the (The Creative Commons Attribution–ShareAlike License) CC-BY-SA.

Last updated: 25/05/2020

Status: Public
https://covidsafe.watch/ tech community.  (snip)


Summary of outstanding issues

There are seven main issues that have not been resolved:

# Persistent, long-term tracking of devices, even after the app is uninstalled (registered as CVE-2020-12586).
This was raised (by Alwen Tiu & Jim Mussared) on 05/05/2020.
This issue also allows other denial-of-service and privacy-related attacks (details not yet public).
This is a far more serious issue than any of the previous issues. It is not clear how the DTA plans to fix or mitigate it, nor has there been any communication of a planned fix date.
See more details below.

# TempID rotation is still broken on iPhone, allowing re-identification of devices and encounters not being recorded.
This was first described by Chris Culnane, Eleanor McMurtry, Robert Merkel and Vanessa Teague on 27/04/2020.
The root cause was discovered and reported (by Yaakov Smith, Hubert Siewert, and Jim Mussared) with a suggested fix on 21/05/2020.
There are other issues relating to the way TempID expiry works that were raised (by Yaakov Smith) on 17/05/2020.
It’s very important that expired TempIDs are not used, as this will lead to encounters that should be marked invalid by the server, reducing the effectiveness of this app at contact tracing
When asked when the privacy breach would be resolved the response was non-committal and did not prioritise resolving the privacy breach..

# The phone model name (e.g. “Samsung Galaxy G8”) and device name (e.g. “Jim’s Pixel 2”) is available to any device in range, allowing for device re-identification and tracking.
This was raised (by Jim Mussared) on 27/05/2020. The fix is to update the privacy policy and to expedite the move to the Apple/Google Exposure Notification API.

# The source code for the server is not available, and none of the cryptography can be verified to be compliant with the privacy policy.
The privacy policy is effectively useless without a way to verify how the data is being managed. This is different to a regular Government use of private data where the data is hosted in government data centres. In COVIDSafe, the encrypted tokens are being stored on peoples phones and transmitted over radio.
There have been several instances of State Governments using insecure cryptography that were discovered by source code analysis. See e.g. “The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election” (J. Halderman & V. Teague, 2015) and “How Not to Prove Your Election Outcome”  (T. Haines, S. J. Lewis, O. Pereira & V. Teague, 2020).
See also “The missing server code, and why it matters” (Robert Merkel, Eleanor McMurtry, and Vanessa Teague).

# TempID rotation (when working correctly) is set to use a 2-hour expiry time. This is too long, and is far longer than Singapore’s TraceTogether app which uses a 15-minute expiry time.
See “Tracing the challenges of COVIDSafe” (Chris Culnane, Eleanor McMurtry, Robert Merkel and Vanessa Teague).

# The distance measurement as implemented by COVIDSafe does not work, making the claimed “1.5 metres for 15 minutes” criterion used for contact tracing meaningless.
Furthermore, many users have been led to believe that the app only stores encounters that match these criteria. In reality, the app stores all the encounters it sees, and any filtering is done on the server after the app uploads its contacts.
See “Coronavirus Contact Tracing: Evaluating The Potential Of Using Bluetooth Received Signal Strength For Proximity Detection” (D. J. Leith, S. Farrell, 2020). More information at The Intercept, and the author’s own experiments.

# There have been a number of different reports of this app interacting poorly with other Bluetooth-based apps.
Notably, this includes continuous glucose monitoring products, leading to missed alarms; see e.g. https://www.diabetes.co.uk/news/2020/apr/australian-covid-19-tracker-app-could-interfere-with-cgm-devices.html.
These reports started from the first day after launch (see Apple App Store reviews and Google App Store reviews) and seem to have gotten more prevalent from iPhone users since the background-mode behavior was fixed.
There have been tweets from official accounts claiming that the app attempts to work around these issues but no evidence of this has been found during analysis of the source code, nor is there any evidence of any fixes being made.




More information about the Link mailing list