The Australian Government has placed uptake of its COVID-19 contact tracing app front and centre of its strategy to walk back lockdown measures, despite mounting evidence it isn’t fit for purpose.
On Friday, Australia’s Prime Minister Scott Morrison framed uptake of the government’s contact tracing app as one of a few remaining pre-conditions before lockdown measures would be lifted.
However, according to multiple reports, the government’s COVIDSafe app is barely functional on iOS devices, state health authorities don’t yet have access to the contact tracing data it was designed to collect and the app is interfering with some Bluetooth-based medical devices.
The most predictable issue was whether iPhones would be able to exchange identifiers with other phones when the app wasn’t running in the foreground. This was the main reason to hold back the release of the app until mobile OS vendors could make specific allowances for it. Detailed analyses of the app by a group of Australian Android and iOS developers has now confirmed that two iOS devices running COVIDSafe in the background do not exchange identifiers.
Risky.Biz can also reveal that while the app was designed to anonymise users and explicitly avoid location tracking, numerous implementation flaws can be abused to track user locations via the app’s Bluetooth beacons.
Google and Apple, meanwhile, have released a beta version of their contact tracing API to public health authorities, which by design would resolve many of the limitations affecting COVIDSafe and other contact tracing apps around the world.
The Australian government has signalled it may need to redevelop COVIDSafe to rely on the new API. This begs the question: why did the government prematurely release a buggy app with questionable utility, mere weeks before the anticipated release of mobile operating system support for contact tracing? Was COVIDSafe simply an exercise in getting Australia ready for contact tracing apps that actually work?
Officials have not been forthcoming with answers to that question. Perhaps there were doubts about Google and Apple’s ability to introduce contact tracing support by mid-May. Perhaps the current version of COVIDSafe serves as a mere “placeholder” install base until something more functional can replace it, despite the inherent risks involved in relying on millions of people to successfully update a mobile app. Or perhaps there isn’t a coherent strategy and that the Government simply wanted to chalk up the appearance of a digital win.
Flaws leave fingerprints
Unlike efforts in less democratic countries, Australia’s digital contact tracing system was not explicitly designed to track user location. The app - and the legal framework which supports it - also prioritises consent, limits the use of data to specific purposes and allows users to register with pseudonyms. Authorities put forward these and other legal assurances to try to convince wary Australians that it won’t abuse data the app collects. So far, approximately four million Australians – or 25% of Australian smartphone owners – have downloaded the app.
Using flaws described in detail to Risky.Biz, attackers require only a slightly modified version of the software COVIDSafe was built on (the OpenTrace implementation of the BlueTrace protocol used in Singapore’s TraceTogether app) to create a network of devices capable of identifying and tracking targeted users. The same techniques can also be deployed on significantly cheaper, smaller hardware to work at scale.
The attack cannot be performed remotely. An attacker abusing these flaws would need to be within a relatively close proximity of a target once to be able to re-identify that person in any subsequent connections to them. The attacker would thus need to place a phone or other BLE-enabled device within 10-20m of a place their target is likely to be - their place of work, for example - to make an initial connection - before they could be tracked.
Once the first connection is made - unknown to the target - the attacker could cheaply create a network that identifies the target at any other number of other locations.
These conditions persist over the life of the app and can only be mitigated in the current release if users routinely turn off and restart their phones, or when they download a new version of the app.
Risky.Biz will release full details about the implementation flaws in a future update to this story.
Is fingerprinting such a big deal?
For many Australians, the ability to fingerprint your physical location might not be especially concerning. If today your movements are inhibited by restrictions - limiting you to trips to supermarkets and school drop-offs - a bug that could be abused to track your location should not deter you from using COVIDSafe.
This type of tracking used to be possible against all smartphones by default. Prior to 2014, smartphones would constantly scan for known WiFi access points, beaconing their unique MAC addresses in the process. Advertising firms found ways to use these beacons to build an ability to physically track the movements of people through retail outlets and shopping centres. Developers of the Bluetooth Low Energy (BLE) spec - aware of these privacy risks - designed BLE to not broadcast unique device identifiers by default.
Apple has gradually closed the door on device-tracking, adding Mac Address Randomisation to the WiFi functionality in iOS 8.0 in 2014, with Android following suit in 2015. So in this broader context, the bugs found in COVIDSafe are a temporary aberration in ongoing efforts to restrict third parties from identifying and tracking user devices.
Detailed information about the flaws were communicated to the Australian Department of Health, Department of Defence and via in-app feedback within seven hours of the app’s release - to no response.
The parties that discovered, validated and disclosed these flaws provided the Australian Government with a list of recommended fixes that would be trivial to implement and have no impact on the effectiveness of the app. Hopefully, these privacy risks will be addressed in a future update.
Where to from here?
With all of this in mind, Risky.Biz still recommends readers in Australia install the COVIDSafe app. Yes, even if the app is only a placeholder - it could evolve into something that provides real utility for contact tracing. And yes, even though it provides avenues for privacy abuse - the risks we’ve analyzed are limited in scope, and are trivial to fix.
In Tuesday’s Seriously Risky Business newsletter, we discuss the shift some countries are making from ‘opt-in’ contact tracing apps to a credential you must have to return to work. You can subscribe to the Seriously Risky Business newsletter at our SubStack page.