On 8 April 2020 the Senate established the Select Committee on COVID-19 and referred the following matters to it for inquiry and report on or before 30 June 2022:
the Australian Government's response to the COVID-19 pandemic; and
any related matters.
To members of the Senate Select Committee on COVID-19. Thank you for the opportunity to participate in this Senate inquiry. Below you will find a submission related to the COVIDSafe application. We are doing seperate submissions on a per-topic basis to optimize for your reading experience.
Members from the https://covidsafe.watch/ community are available to give in-person evidence to future public (or private) hearings by video conference.
We would appreciate a confirmation of the receipt of this submission and welcomes any feedback you may have.
https://covidsafe.watch/ is an online community backed by a team of security researchers, open-source software engineers, community managers and privacy specialists that support the concept of technology based contact tracing.
We want to see lives saved through the use of this unprecedented technology.
It is crucial to us that privacy and security issues are addressed promptly and communicated in an inclusive and open manner.
We believe transparency is essential to achieve both of these goals without compromising either. Compromising privacy risks people’s lives by undermining public trust in the systems built to protect them.
This can only be achieved by direct collaboration with engineers using transparent open source platforms as done by the UK National Health Service.
It's here! The source code for the COVID-19 BETA Apps.
🙌 I'm Geoff, the probono open-source software engineer leading the independent analysis of covidsafe via studying the source code. Software that I maintain is inside Microsoft Visual Studio, GitHub, Atlassian Sourcetree, Amazon Drive, Halo, Slack, is heavily used by the financial services industry and has been installed by other software developers over 21 million times.
Photo licensed under Attribution 4.0 International (CC BY 4.0)
I'm a hybrid hardware and software developer, with current professional experience with open-source development and designing/developing BLE-based products for George Robotics. Formerly worked in programming/electronics education at Grok Learning, and before that at Google Australia as a tech lead in the SRE team as well as some time working with the Android team.
Over 500 met on Wednesday evening by video, after multiple developers and software engineers had reverse-engineered the code base and inspected it for security, integrity and usability.
Led by Queensland open-source software engineer Geoff Huntley, a group of developers and programmers have collated the findings of about a dozen different efforts to review the code and the usability of the app
Mr Huntley told the meeting the group was ready to share their findings with the government's developers to help debug and improve its usability.
The group met up after Atlassian co-founder Mike Cannon-Brookes called on developers and software engineers to help debug the application.
Mr Huntley detailed the issues the group had identified with the app.
nb. It's highly unlikely this has anything to-do with WiFi itself but is instead related to IP address white/black lists on the backend/firewall appliance. However to end users - the effect is registration does not work if connected to WiFi but does when on 4G.
the problem is most definitely incorrect @cloudfront cfg. It's configured to "block non aussie users" but the problem is I'm getting reports from mates who are on Telstra NBN that are getting blocked. Switching to Telstra 4G works immediately. pic.twitter.com/u9SMQz8Rr7
Tried so many time to register the #covidsafe app and failed. After reading through the bad reviews on app store discovered it will only register via phone network and cannot be connected to wifi. Really?!?! If that is a requirement to register then PUT IT IN THE INSTRUCTIONS!
For those of you seeing the invalid phone number when trying to register #covidsafe app on your phone, try turning off wifi during the process. It seems the app can only properly register when using mobile data.
Apple won't let me change my region to Australia without cancelling all my subscriptions, spending all my credit and entering (possibly an Australian) bankcard. So I'll just carry my negative test result on my phone & wave it people. #Covidsafe.
Many rural Australians aren't able to register for the app at all.
In order to register for COVIDSafe, users need to be sent an SMS verification. This two-factor authentication (2FA) is for security purposes and in general is a good feature of the app.
But this becomes problematic if you live in an area with patchy or no mobile service. And this is the issue that many rural Australians are now facing. If you can't get the SMS, you can't use COVIDSafe.
For rural Aussies – or even just those who live in a mobile black spot – who are on plans with Vodafone and Optus, excluding prepaid, this isn't a problem. With these providers, they're able to still receive the verification text because these telcos offer SMS Over WiFi.
Unfortunately, users who are with Telstra or some Mobile virtual Network Operator (MVNO) resellers don't have the SMS over WiFi option.
Over the past week we have been hearing about issues that some rural Australians are having installing the COVIDSafe app. This is because Telstra, unlike Vodafone and Optus, didn't have SMS over WiFi, which prevented 2FA texts from being received by people who don't have mobile phone reception. Importantly, is an issue that also impacts other 2FA SMS as well as emergency texts. During our investigation into this Telstra started quietly rolling the feature out.
We knew Telstra was going to be looking at finally rolling out SMS Over WiFi, but the telco was unable to provide Gizmodo Australia a clear timeline. It appears the decision may have been tied to COVID-19 and the need for the COVIDSafe app in rural communities. Comments received from both Telstra and the Federal Minister for Communications Paul Fletcher to Gizmodo last week indicated that the telco was working on a solution to 2FA for the COVIDSafe app specifically.
"Telstra customers in areas that do not have mobile coverage are unable to send or receive SMS over WiFi. We have been working to introduce this capability into the network and will now accelerate the work required. We are also working closely with the DTA on alternative methods for the COVIDSafe app to send an authentication code," a Telstra spokesperson said in an email to Gizmodo Australia.
"SMS over WiFi updates for customers’ smartphones have gone live overnight and will roll out progressively over the next seven days. Some Telstra customers will already see the functionality available on their devices." said a Telstra spokesperson in an email tp Gizmodo Australia.
Norfolk Island is an external territory of Australia but uses a different country code, +672 instead of +61. This means Norfolk Island numbers cannot be used to register for COVIDSafe.
People who are roaming with an international SIM cannot register
COVIDSafe requires an Australia mobile number beginning with +61 to register, meaning foreigners in Australia need a local sim card. People who are roaming with an international SIM and are located within Australia cannot register for COVIDSafe.
Appendix - Timeline
COVIDSafe app launched
First long-term tracking issues reported to firstname.lastname@example.org, ASD, Maddocks (author of the PIA). First reports of the app interacting poorly with other Bluetooth devices (e.g. Continuous Glucose Monitors).
First four issues described in a single document that was distributed widely to the relevant teams (both through official and unofficial channels).
First contact with Singapore OpenTrace team. TempID caching issue fixed same-day. The Singapore team confirms that iPhones in the background are “not expected to work”. ASD confirmed that they will “follow this up”. No further contact. The Cybersecurity CRC confirmed that they have forwarded this doc but are extremely dismissive of the findings. No further contact. Maddocks replied and promised to forward the doc. No further contact.
First contact with DTA. v1.0.15 & v1.0.16 (Android) released containing only updates to graphics and animations and some minor text changes. The only issue fixed is the confusing wording raised by Geoff. risky.biz publishes a high-level summary of the known issues at this stage.
v1.1 (iPhone) released. DTA confirms that they were first aware of the issues on 30/04/2020, but our contact still had not read the document. Full details of CVE-2020-12586 shared with the ASD/ACSC and DTA
Same issues discovered in the ABTraceTogether app used by Alberta, Canada. Emailed, and Skype meeting arranged within 24 hours.
DTA confirms that there will be a release tomorrow to fix the iPhone crash but it will fix none of the outstanding privacy issues.
v1.0.17 (Android) and v1.2 (iPhone) released. Contrary to advice from the day before, fixes the first two privacy issues (along with the remote iPhone crash). DTA asked (via SMS to Jim Mussared) for availability to discuss fixes for CVE-2020-12586 in the next couple of days. Jim offered that they can call any time, but then they never followed through on arranging a time. No further contact received from the DTA, all follow-up emails ignored. (Edit: update after this doc was published, see below)
The The COVIDSafe App - 4 week update document was released publicly. 26 minutes later, update from the DTA with a planned release date for “the remaining Bluetooth issues”.
v1.4 (iPhone) released and available to download, source code partially available same day but unable to compile as source code is missing. v1.0.18 (Android) source code released but Android application but not available to download from the app store.
Submisisons for the Australian Senate Select Committee on COVID-19 close.
Appendix - Google Android Changelog
Brand new coat of paint and did not resolve privacy breach. Accidentally added 20 second pause to the launch screen.
Removed 20 second pause from the launch screen.
Partially resolves privacy breaches.
Source code released but application not available for download from the app store. Analysis pending.
Appendix - Apple iPhone Changelog
Debug view removed, updated design and removed com.googleusercontent URLScheme.
Largely fixed background behaviour. Implemented the fix for CVE-2020-12717.
Removed daily notifications to remind users to keep app in foreground.
Application released, source code was partially published but unable to compile as files are missing. Analysis pending.