News

When the COVIDSafe contact tracing app launched, tech-savvy experts went looking for flaws. It didn’t take long to find them. By Royce Kurmelovs.

The flaws in the COVIDSafe app

When the Australian government launched COVIDSafe in late April, Jim Mussared’s curiosity got the better of him. Until then, he hadn’t paid much attention to the contact tracing app’s rollout. Like everyone, he’d heard the prime minister compare it to “sunscreen” and say the more people who took it up, the sooner restrictions on movement would be lifted.

He was also vaguely aware the government had tried to soothe critics by performing a privacy impact assessment and asking the Cyber Security Cooperative Research Centre (CSCRC) to “stress test” the app for flaws.

But Mussared had a unique perspective – while he now works at a robotics company, his past job with Google’s site reliability team meant that if something were wrong, he’d know where to look for it.

His best guess was that any potential problem would crop up with the unique identifiers designed to anonymise users. Any contact tracing app works by tracking its users’ movements, so if the strings of seemingly random numbers were ever recycled when a phone checked in with the central server, it would be possible for someone – not just the government – to track a user.

The day COVIDSafe launched, it took just four hours for Mussared to confirm his suspicions, and worse. Not only could the app be made to recycle the identifier, but it also broadcast the phone’s model and name along with it, transforming it into a “beacon” for anyone looking.

“If my neighbours were running COVIDSafe, I could tell you when they were home,” says Mussared. “The really scary thing to me is that I could re-identify someone at multiple different locations, like a journalist whose phone was detected at certain locations and times.

“… It shouldn’t be possible.”

The significance of this was immediately clear to Mussared: a government-developed medical-information app, which cost millions to develop, had breached its own privacy policy at the moment of launch.

Knowing the app had been rushed out in response to the Covid-19 pandemic, Mussared considered its flaws an honest mistake and quickly set about trying to get them fixed. At 1.19am, he sent his first email to an address listed on the Department of Health website to handle privacy inquiries.

There would be no reply.

It took eight days before Mussared spoke to someone at the Digital Transformation Agency (DTA), after he tried any department or organisation with a connection to the app, including the CSCRC. He describes the period as like “yelling into an empty room”.

He wasn’t alone. Across the country, people began to report issues – users wrote reviews on the Google Play store reporting that the app interfered with their diabetes monitoring systems or that it had wrongly told them they had coronavirus.

Meanwhile, the more tech-savvy began to ask a more basic question: did the app even do what it promised?

Searching for an answer would bring Mussared into contact with others, including software engineer Geoff Huntley and Richard Nelson, a mobile app developer who had been independently investigating how the app worked on Apple’s iOS platform.

Early tests showed COVIDSafe did not work while running in the background on an Apple iPhone. Long before officials from DTA admitted the issue in senate estimates, Nelson’s early observations would be confirmed by the Singaporean developer who built the original TraceTogether app upon which the COVIDSafe app was based.

The Singaporean developer explained the original app had never been built to run on iOS, because Singapore has few Apple users. He also told them that no one in the Australian government had contacted him about the app for him to explain that fact.

The result was a mess. Even as COVIDSafe was being downloaded thousands of times, it took until 18 days after launch for the first privacy issues to be addressed.

“As we pulled the code apart more, we found more and more things,” says Nelson. “Over the last few months we’ve kept finding bugs.”

Among the slew of bugs, errors and limitations they would uncover, two were alarming. The first – now well known – was an exploit on iPhones that allowed someone to remotely silence the “pings” sent out by the COVIDSafe app, as if they were jamming radar.

The second was discovered by Mussared in collaboration with Australian National University academic Alwen Tiu.

The pair discovered a vulnerability that meant someone could take over another person’s phone and have near-total access, without the owner knowing it. If the Bluetooth technology worked by allowing two devices to silently “pair”, it was possible to trick a target phone into thinking a connecting device was a keyboard and input commands.

The flaw was so serious they registered it with the Mitre Corporation, a non-profit cybersecurity research organisation, and logged it on the public Common Vulnerabilities and Exposures site, where it was given a severity rating of 9.8 out of 10.

Mussared and Tiu said they would contact the media if the problem wasn’t fixed within 45 days – and consequently the DTA released updates to patch out the problems. But the feeling among many in the tech sector is that the app was simply dead on arrival.

To date, more than six million Australians have downloaded COVIDSafe – although it is not clear how many are active users because the DTA does not keep those metrics. The app is yet to find a single case of Covid-19 that has not already been found by human contact tracers, even as its cost has grown.

So far, as reported by tech news site InnovationAus, $2.5 million has already been paid out in consulting fees alone for COVIDSafe – including a $200,000 bonus to the Boston Consulting Group, the former employer of DTA chief executive Randall Brugeaud.

Centre Alliance senator Rex Patrick, who was diagnosed with Covid-19 and is broadly supportive of the idea of the app, described its rollout as “dishonest”.

“My concern has always been with the fact they weren’t being upfront with people,” he says. “I think the prime minister was dishonest in linking lifting restrictions to downloading the Covid app.”

Senator Patrick says he believes the app’s major problems have now been fixed, although Jim Mussared, Geoff Huntley and Richard Nelson say that may not be the case.

Their work has found another potential issue when the app is installed on Android phones – it never has a chance to update, because it runs continually in the background, meaning users may still be running the original flawed version of the app.

When contacted about the issue, the DTA said it “strongly encouraged” Australians to update to the latest version.

Cryptographer Vanessa Teague says the secrecy involved in the development of COVIDSafe and the failure to identify a raft of errors before its release highlights the danger of criminalising independent cybersecurity research.

“How the COVIDSafe app has been handled is a microcosm of the larger policy failure,” she says.

“There are so many laws that criminalise cybersecurity research, based on a raft of legislation from years of bad policy designed to promote surveillance at the expense of security…

“It’s bad because government decisions should be open and democratic but it’s also technically bad: the insiders who get brought in to handle this stuff do a bad job.”

This article was first published in the print edition of The Saturday Paper on Jul 4, 2020 as "The other bugs".

A free press is one you pay for. In the short term, the economic fallout from coronavirus has taken about a third of our revenue. We will survive this crisis, but we need the support of readers. Now is the time to subscribe.

Royce Kurmelovs
is an Adelaide-based freelance journalist and author.