Authors: Jim Mussared (micropython.org), Alwen Tiu (The Australian National University)
A vulnerability has been identified in the implementation of the Android version of Australia's COVIDSafe contact tracing app that may affect several other contact tracing apps that share a similar architecture, such as Singapore's TraceTogether and Alberta's ABTraceTogether. This issue is being tracked using the CVE ID CVE-2020-12856. The vulnerability allows for long term tracking of users of the affected apps, and possibly enables other bluetooth-based attack vectors.
The details of the issue are still currently under embargo, until the developers of the affected apps have been notified and given a chance to put in place mitigation strategies. After the embargo period ends, more details of the issue will be published here.
This can be applied in a couple of different ways:
- iPhone. Although it still only requires simple equipment and limited expertise, it's harder to pull off. However, it allows for permanent tracking of an iPhone even when the COVIDSafe app is uninstalled. This gives access to the full device name normally hidden on iPhone.
- Android. This allows for simple long-term tracking of an Android device (similar in execution to Issue #1 and #2) while the app is still installed.
Unlike issue CVE-2020-12857 and Issue #2, this persists after reboot on both iPhone and Android.
This applies to all contact tracing apps based on a similar protocol (e.g. confirmed for UK, Singapore)
I strongly recommend that the Google/Apple protocol is adopted instead. When possible I will add mitigation details.
- 2020/05/15 - GitHub repository created at https://github.com/alwentiu/COVIDSafe-CVE-2020-12856
- Lacking an official disclosure/bug bounty program, we have now (5:00pm on 05/05/2020) raised this informally with the DTA and ASD/ACSC though available channels, with as much detail as possible.