DTA fixed COVIDSafe Bluetooth vulnerability 21 days after it was notified

Researchers detail Android vulnerability in COVIDSafe that allowed the Bluetooth connection of any untrusted device that happened to be in range.
Written by Asha Barbaschow, Contributor

Australian researchers have published findings that poke further holes into the federal government's coronavirus contact tracing app COVIDSafe.

Jim Mussared from George Robotics and Alwen Tiu from the Australian National University have highlighted a "silent pairing issue" in Bluetooth-based contact tracing apps, this time on Android.

"This vulnerability allows an attacker to bond silently with an Android phone running a vulnerable version of the app. The bonding process involves exchanges of permanent identifiers of the victim phone: The identity address of the Bluetooth device in the phone and a cryptographic key called Identity Resolving Key (IRK). Either one of these identifiers can be used for long term tracking of the phone," they wrote.

Explaining the pair's findings, Mussared on Friday said the issue allows an attacker to silently pair with a user's phone while it's running COVIDSafe.

"Once paired, this allows them to permanently track the phone, even after COVIDSafe is uninstalled and even if the phone is factory reset. The way it does this is by exposing the Bluetooth MAC address, which will respond to L2CAP pings," he added in a tweet.

"Normally you only see a phone's 'random' Resolvable Private Address, which changes on a regular interval, where the identity address that pairing exposes is fixed for the lifetime of the phone. But what else can you do with a phone's identity MAC address?"

The issue was reported to the Digital Transformation Agency (DTA) 45 days ago and was fixed in COVIDSafe 1.0.18 release -- 24 days ago.

"It's *really* great that the DTA was able to find a workaround for this, however my concern is that the design of COVIDSafe necessarily depends on using Bluetooth in a way that it was not designed to -- namely connecting to any untrusted device that happens to be in range," he explained.

"This issue was a consequence of not using the Apple/Google Exposure Notification API. If the EN API had been used instead, we'd have a more functional, more reliable, and more secure & trustworthy app," he also tweeted.

While the local version is fixed, the vulnerability may affect several other contact tracing apps that share a similar architecture, such as Singapore's TraceTogether and Alberta's ABTraceTogether, the pair said.

Overnight, the United Kingdom decided to ditch its own contract-tracing app, and would instead rely on the Google and Apple APIs.

"While it does not yet present a viable solution, at this stage an app based on the Google/Apple API appears most likely to address some of the specific limitations identified through our field testing," the UK Department for Health and Social Care said.

"However, there is still more work to do on the Google/Apple solution which does not currently estimate distance in the way required."

Earlier this week, it was revealed the DTA knew that COVIDSafe had severe flaws, despite sending it out for public use on 26 April 2020.

Documents published by the agency showed that Bluetooth encounter logging tests conducted on the day of the app going live showed locked iPhones, an iPhone X to iPhone 6 specifically, were transmitting data at a "poor" rating -- 25% or below.

It followed software engineer Richard Nelson publishing research that showed locked iPhones were practically useless when it came to logging encounters through COVIDSafe.

He said a locked iPhone with an expired ID could not generate a new ID and that, without an ID, the device would record other devices around it, but it could not be recorded by others.

"A device in this state will record other people around it, but will not be recorded by others. If all relevant devices are in this state, no encounters are logged," he wrote.

"One could imagine Alice packing her bag, putting her iPhone in, and going out for the day to a football game. With her device in this state, nobody else will record her presence, and if anyone around her tested positive she would not be contacted."

The DTA said in May that functional and performance testing was conducted for the Apple iOS and Google Android versions of the COVIDSafe App prior to release.

It said 179 functional tests were conducted, including Bluetooth encounters between various device types, in various states, including the phone being locked and unlocked, and the application being open and not open.

"All tests satisfied the baseline design requirements," the DTA said. "Performance tests were also conducted against the technical requirements."

The DTA previously told ZDNet it continues to welcome feedback on COVIDSafe from the developer community, with previous feedback helping the DTA to improve the app.

"The DTA will continue to release updates to the COVIDSafe app to deliver a range of performance, security, and accessibility improvements as required," it said. "The Australian community can have confidence the app is working securely and effectively, despite the lack of community transmission of COVID-19.

As of Friday 12 June 2020, over 6.3 million Australians have downloaded the app.

Elsewhere, Germany's "Corona-Warn" app touted 6.5 million downloads registered in 24 hours -- about 7.8% of the country's population.


Editorial standards