If you spot a spelling mistake, grammatical error or inaccuracy please help improve the senate submission by editing this page. Small fixes, over time, add up to huge improvements. Thank-you 💕
Select Committee on COVID-19
Terms of Reference
On 8 April 2020 the Senate established the Select Committee on COVID-19 and referred the following matters to it for inquiry and report on or before 30 June 2022:
- the Australian Government's response to the COVID-19 pandemic; and
- any related matters.
Introduction
To members of the Senate Select Committee on COVID-19. Thank you for the opportunity to participate in this Senate inquiry. Below you will find a submission related to the COVIDSafe application. We are doing seperate submissions on a per-topic basis to optimize for your reading experience.
Members from the https://covidsafe.watch/ community are available to give in-person evidence to future public (or private) hearings by video conference.
We would appreciate a confirmation of the receipt of this submission and welcomes any feedback you may have.
https://covidsafe.watch/ is an online community backed by a team of security researchers, open-source software engineers, community managers and privacy specialists that support the concept of technology based contact tracing.
- We want to see lives saved through the use of this unprecedented technology.
- It is crucial to us that privacy and security issues are addressed promptly and communicated in an inclusive and open manner.
- We believe transparency is essential to achieve both of these goals without compromising either. Compromising privacy risks people’s lives by undermining public trust in the systems built to protect them.
- This can only be achieved by direct collaboration with engineers using transparent open source platforms as done by the UK National Health Service.
It's here! The source code for the COVID-19 BETA Apps.
— NHSX (@NHSX) May 7, 2020
✅Android: https://t.co/fdCzEcND47
✅iOS: https://t.co/6JNR1PmkHE
✅Documentation: https://t.co/OFGq9lbOfg
Experts available for in-person evidence
Geoffrey Huntley
🙌 I'm Geoff, the probono open-source software engineer leading the independent analysis of covidsafe via studying the source code. Software that I maintain is inside Microsoft Visual Studio, GitHub, Atlassian Sourcetree, Amazon Drive, Halo, Slack, is heavily used by the financial services industry and has been installed by other software developers over 21 million times.
Photo licensed under Attribution 4.0 International (CC BY 4.0)
Jim Mussared
I'm a hybrid hardware and software developer, with current professional experience with open-source development and designing/developing BLE-based products for George Robotics. Formerly worked in programming/electronics education at Grok Learning, and before that at Google Australia as a tech lead in the SRE team as well as some time working with the Android team.
My Bluetooth research into contact tracing has received world wide praise. I discovered a Bluetooth security vulrunability (CVE-2020-12856) which requires governments to modify their technological approaches and programs of work.
Photo licensed under Attribution 4.0 International (CC BY 4.0)
Richard Nelson
I'm a professional software engineer of 16 years, 8 of which have been in mobile app development and leadership. I have a strong interest in infosec, and my research into the iPhone application background behaviour identified a coding error as a contributing factor preventing COVIDSafe from working effectively. I discovered a denial of service vulnerability (CVE-2020–12717) in COVIDSafe.
Photo licensed under Attribution 4.0 International (CC BY 4.0)
Contact person(s) for this submission
Technical Expert & Coordinator
Name: Geoffrey Huntley
Email: ghuntley@ghuntley.com
LinkedIn: https://www.linkedin.com/in/geoffreyhuntley
Overview
No industry best-practices were implemented at launch, including but not limited to:
- A bug bounty (which would provide a clear path for reporting issues)
- A security contact address, separate from general enquiries (allowing for prioritisation and triaging).
- Source code available at launch (making it easier for analysis)
- Engagement on reported issues to coordinate disclosure.
Lack of a bug bounty or formal documented process
Just overheard this in the community discord server:
— geoffrey huntley (@GeoffreyHuntley) May 6, 2020
"I have sent a fairly serious security disclosure email to our insider at the @DTA about #COVIDSafe."
Where's the bug bounty program‽¿! pic.twitter.com/3mw9EDybZu
Hey @DTA, @VTeagueAus noted in intitial app analysis that tempIDs in iOS COVIDSafe were not rotating properly. It's still not fixed (do you care about privacy?), so here's a script which fixes it, and brings the rotation time down to a recommended 15m:https://t.co/9OxAXBJctA
— Richard Nelson (@wabzqem) May 24, 2020
Huntley has called upon those responsible for the app to implement formal customer service and developer community engagement tools, as he feels the app is a worthy weapon in Australia’s coronavirus response. However he has withdrawn his personal support for the app until the privacy issues he has identified are addressed.
Huntley also labelled the lack of a bug bounty program for the app “unusual” and said only personal relationships with government staff afforded him a channel through which to report his findings – after mailing government agencies' public email addresses with details of bugs and not receiving replies for a week.
Australia’s app uses some of Singapore’s open source contact-tracing code. Huntley said he found flaws in Singapore’s code, reported it to developers there and saw changes made on the same day. He said he’s since informed Australian authorities of the same problem and seen it left in place in an app update that he said has changed nothing of substance. His research and opinions are detailed in this Tweet and subsequent thread.
Engagement on reported issues to coordinate disclosure
In private I tried numerous times contacting the DTA, the minister of Services Australia and the media/privacy departments and the Australian Signals Directorate to pickup the phone.
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
I was not the only researcher who experienced these problems. pic.twitter.com/jHNZcFGWAG
We have shared comprehensive details of several issues, ranging from privacy to app reliability that are worth attention. It's been impossible to establish any meaningful response with the gov. Here's a timestamp from an unreleased privacy, security and data quality report. pic.twitter.com/Oh6pSozUYK
— geoffrey huntley (@GeoffreyHuntley) May 1, 2020
There has been no public acknowledgement of issues raised, nor has there been any communication around interim mitigations or workarounds.
26 minutes after this was posted, I received the first email from the DTA since 08/05/2020 (other than a brief SMS on 14/05/2020 described in the doc). Good news, there's an update coming. No idea what's in the update yet, but we'll see!
— Jim Mussared (@jim_mussared) May 25, 2020
This has been done better in other countries, e.g. UK’s NHSX recently described their engagement with the community in a blog post. See also the Twitter thread from Vanessa Teague. They also have a HackerOne bug bounty, specifically for their COVID-19 tracker app, as does Singapore.
In the case of the two long-term tracking issues that were fixed, neither recommended fixes were implemented. The recommendation was to remove the unnecessary features altogether to avoid any further risks, and also to add comments to prevent future regressions. Instead, workarounds were added to the existing fragile code.
It is worth noting how much better the response from the DTA was to the iPhone crash, compared to the privacy issues. As is to be expected, a crashing app is far easier for the public to understand than an invisible privacy leak. This difference was not just in terms of time-to-fix, but also in the engagement from the DTA.
The six million Australians who have downloaded the COVIDSafe app are being urged to update it immediately to fix a flaw which could make it completely useless. Read more: https://t.co/nbVbJZHyli pic.twitter.com/wqV7fXrhV6
— Sunrise (@sunriseon7) May 25, 2020
Going to throw this out here again. Dear DTA. We want to help you. We have been saying this from day 0. Those findings that we privately disclosed may soon be public by people not part of our community. In the "pending-disclosure_ room there's a semi consenus to wait 1 sprint /1 pic.twitter.com/ZmJGwZFdi5
— geoffrey huntley (@GeoffreyHuntley) May 3, 2020
I'm [still] in shock that a serious invasion of privacy and a violation of the privacy policy was de-prioritised in the software development sprint over shipping a new coat of paint. pic.twitter.com/ppxgwhG0lW
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
In private I tried numerous times contacting the DTA, the minister of Services Australia and the media/privacy departments and the Australian Signals Directorate to pickup the phone.
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
I was not the only researcher who experienced these problems. pic.twitter.com/jHNZcFGWAG
In fact. I even recorded this personal video and sent it to all of them. pic.twitter.com/6c9acrETE3
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
I tried support@covidsafe.gov.au and have yet to get a reply back.https://t.co/EWys2wF5Mn
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
So what does any researcher that's being ignored do? Reach out to @isobelroe and invite her to dump your brains/feelings and concerns.https://t.co/JoAHDtJ3WO
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
This went to air at 7am this morning on @RNBreakfast.
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
The other software engineers mentioned in this recording are
- Richard is @wabzqem
- Jim is @jim_mussared
Follow themhttps://t.co/3j2Sz804kM
As a result of @RNBreakfast's broadcast and @isobelroe's help the DTA finally picked up the phone and called us. We have a mobile phone number, email address and name of a public servant that we can speak directly with if we need to escalate (eg security research that's wormable)
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
We have found four privacy issues.
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
"But one of the things we've found in there will require every country that has used the Bluetooth implementation from Singapore to update their privacy policies and release new versions of the application." pic.twitter.com/H2YY65u0pd
And by we, I mean Jim Mussared @jim_mussared. This guy is an absolute legend. I have loved working with you every moment Jim. Let's grab a six-pack when Iso is over eh? pic.twitter.com/KFblKjUUdh
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
Here is @jim_mussared's work.
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
Again, there is no responsible disclosure program, nor industry best practices like @bugcrowd. If the code had been open sourced, there would be a clear mechanism for how the community could raise (and even fix) the bugs.https://t.co/frnlUU1aAE pic.twitter.com/24g0SpVFER
Again. Some of these problems are quite serious from a privacy perspective. If your countries government used the Singapore code in their contact tracing apps then you will need to bring it to their attention. We won't be doing it. We are all volunteers here giving up $$$ to help pic.twitter.com/WOw2XiPPDr
— geoffrey huntley (@GeoffreyHuntley) May 5, 2020
Here's a demonstration of Issue #4 in action. The notification is injected into the app, but the data is not. Both the Z2 and this device are on the latest versions of COVIDSafe. pic.twitter.com/17nszAoHNr
— Richard Nelson (@wabzqem) May 5, 2020
Atrribution
The COVIDSafe App - 4 week update by Jim Mussared and Eleanor McMurtry was used as the baseline for this submissions.
Appendix - Timeline
| Day | Date | Notes |
|---|---|---|
| 0 | 26/04/2020 | COVIDSafe app launched |
| 1 | 27/04/2020 | First long-term tracking issues reported to privacy@health.gov.au, ASD, Maddocks (author of the PIA). First reports of the app interacting poorly with other Bluetooth devices (e.g. Continuous Glucose Monitors). |
| 2 | 28/04/2020 | First four issues described in a single document that was distributed widely to the relevant teams (both through official and unofficial channels). |
| 4 | 30/04/2020 | First contact with Singapore OpenTrace team. TempID caching issue fixed same-day. The Singapore team confirms that iPhones in the background are “not expected to work”. ASD confirmed that they will “follow this up”. No further contact. The Cybersecurity CRC confirmed that they have forwarded this doc but are extremely dismissive of the findings. No further contact. Maddocks replied and promised to forward the doc. No further contact. |
| 8 | 04/05/2020 | First contact with DTA. v1.0.15 & v1.0.16 (Android) released containing only updates to graphics and animations and some minor text changes. The only issue fixed is the confusing wording raised by Geoff. risky.biz publishes a high-level summary of the known issues at this stage. |
| 9 | 05/05/2020 | v1.1 (iPhone) released. DTA confirms that they were first aware of the issues on 30/04/2020, but our contact still had not read the document. Full details of CVE-2020-12586 shared with the ASD/ACSC and DTA |
| 10 | 06/05/2020 | DTA CEO questioned by the Select Senate Committee on COVID-19. Topics include the iPhone background behavior and engagement with the tech community. Richard Nelson discovered the remote iPhone crash, reported to DTA. |
| 12 | 8/05/2020 | Source code of v1.0.16 (Android) and v1.1 (iPhone) released, confirming that there are no differences in the Bluetooth implementation to the upstream Singapore codebase. |
| 13 | 9/05/2020 | Same issues discovered in the ABTraceTogether app used by Alberta, Canada. Emailed, and Skype meeting arranged within 24 hours. |
| 17 | 13/05/2020 | DTA confirms that there will be a release tomorrow to fix the iPhone crash but it will fix none of the outstanding privacy issues. |
| 18 | 14/05/2020 | v1.0.17 (Android) and v1.2 (iPhone) released. Contrary to advice from the day before, fixes the first two privacy issues (along with the remote iPhone crash). DTA asked (via SMS to Jim Mussared) for availability to discuss fixes for CVE-2020-12586 in the next couple of days. Jim offered that they can call any time, but then they never followed through on arranging a time. No further contact received from the DTA, all follow-up emails ignored. (Edit: update after this doc was published, see below) |
| 19 | 15/05/2020 | Source code of v1.0.17 (Android) and v1.2 (iPhone) released. |
| 20 | 16/05/2020 | Source code of Alberta, Canada’s ABTraceTogether released. None of the issues raised on 09/05/2020 have been fixed. |
| 21 | 17/05/2020 | v1.3 (iPhone) released. |
| 22 | 18/05/2020 | Source code of v1.3 (iPhone) released. iPhone crash fixed in Singapore OpenTrace. |
| 23 | 19/05/2020 | Full details of CVE-2020-12586 shared with the Singapore & Alberta teams (and other affected countries). |
| 26 | 22/05/2020 | iPhone TempID expiry issue raised with DTA (and Singapore & Alberta). |
| 29 | 25/05/2020 | The The COVIDSafe App - 4 week update document was released publicly. 26 minutes later, update from the DTA with a planned release date for “the remaining Bluetooth issues”. |
| 30 | 26/05/2020 | v1.4 (iPhone) released and available to download, source code partially available same day but unable to compile as source code is missing. v1.0.18 (Android) source code released but Android application but not available to download from the app store. |
| 32 | 28/05/2020 | Submisisons for the Australian Senate Select Committee on COVID-19 close. |
Appendix - Google Android Changelog
| Version | Date | Comments |
|---|---|---|
| v1.0.11 | 2020-04-26 | Initial Release. Implementation in serious breach of privacy policy. Contained text that caused public panic - "You have COVID19" |
| v1.0.15 | 2020-05-04 | Brand new coat of paint and did not resolve privacy breach. Accidentally added 20 second pause to the launch screen. |
| v1.0.16 | 2020-05-04 | Removed 20 second pause from the launch screen. |
| v1.0.17 | 2020-05-14 | Partially resolves privacy breaches. |
| v1.0.18 | 2020-05-27 | Source code released but application not available for download from the app store. Analysis pending. |
Appendix - Apple iPhone Changelog
| Version | Date | Comments |
|---|---|---|
| v1.0 | 2020-04-26 | Initial Release. |
| v1.1 | 2020-05-05 | Debug view removed, updated design and removed com.googleusercontent URLScheme. |
| v1.2 | 2020-05-14 | Largely fixed background behaviour. Implemented the fix for CVE-2020-12717. |
| v1.3 | 2020-05-14 | Removed daily notifications to remind users to keep app in foreground. |
| v1.4 | 2020-05-26 | Application released, source code was partially published but unable to compile as files are missing. Analysis pending. |
