The COVIDSafe source code release

If you spot a spelling mistake, grammatical error or inaccuracy please help improve the senate submission by editing this page. Small fixes, over time, add up to huge improvements. Thank-you 💕


Submission Name: The COVIDSafe source code release
Url: https://covidsafe.watch//senate-submissions/the-covidsafe-source-code-release
Status: Not submitted. Requires proof read and readability improvements.
Version: 5416860c24987a6b241515b36b6268c003d03448 on https://github.com/covidsafewatch/website

Select Committee on COVID-19

Terms of Reference

On 8 April 2020 the Senate established the Select Committee on COVID-19 and referred the following matters to it for inquiry and report on or before 30 June 2022:

  • the Australian Government's response to the COVID-19 pandemic; and
  • any related matters.

Introduction

To members of the Senate Select Committee on COVID-19. Thank you for the opportunity to participate in this Senate inquiry. Below you will find a submission related to the COVIDSafe application. We are doing seperate submissions on a per-topic basis to optimize for your reading experience.

Members from the https://covidsafe.watch/ community are available to give in-person evidence to future public (or private) hearings by video conference.

We would appreciate a confirmation of the receipt of this submission and welcomes any feedback you may have.

https://covidsafe.watch/ is an online community backed by a team of security researchers, open-source software engineers, community managers and privacy specialists that support the concept of technology based contact tracing.

  • We want to see lives saved through the use of this unprecedented technology.
  • It is crucial to us that privacy and security issues are addressed promptly and communicated in an inclusive and open manner.
  • We believe transparency is essential to achieve both of these goals without compromising either. Compromising privacy risks people’s lives by undermining public trust in the systems built to protect them.
  • This can only be achieved by direct collaboration with engineers using transparent open source platforms as done by the UK National Health Service.

Experts available for in-person evidence

Geoffrey Huntley

🙌 I'm Geoff, the probono open-source software engineer leading the independent analysis of covidsafe via studying the source code. Software that I maintain is inside Microsoft Visual Studio, GitHub, Atlassian Sourcetree, Amazon Drive, Halo, Slack, is heavily used by the financial services industry and has been installed by other software developers over 21 million times.

Photo licensed under Attribution 4.0 International (CC BY 4.0)

Jim Mussared

I'm a hybrid hardware and software developer, with current professional experience with open-source development and designing/developing BLE-based products for George Robotics. Formerly worked in programming/electronics education at Grok Learning, and before that at Google Australia as a tech lead in the SRE team as well as some time working with the Android team.

My Bluetooth research into contact tracing has received world wide praise. I discovered a Bluetooth security vulrunability (CVE-2020-12856) which requires governments to modify their technological approaches and programs of work.

Photo licensed under Attribution 4.0 International (CC BY 4.0)

Richard Nelson

I'm a professional software engineer of 16 years, 8 of which have been in mobile app development and leadership. I have a strong interest in infosec, and my research into the iPhone application background behaviour identified a coding error as a contributing factor preventing COVIDSafe from working effectively. I discovered a denial of service vulnerability (CVE-2020–12717) in COVIDSafe.

Photo licensed under Attribution 4.0 International (CC BY 4.0)

Contact person(s) for this submission

Technical Expert & Coordinator

Name: Geoffrey Huntley
Email: ghuntley@ghuntley.com
LinkedIn: https://www.linkedin.com/in/geoffreyhuntley

Overview

The source code for both apps was released on 08/05/2020, and has been updated within a couple of days of each subsequent release.

It is published with an unusually restrictive license limiting the rights of its users, there are nod tests, the code contains very few comments, and it is impossible for a developer to build and run the application without first building their own test server (with no documentation on this process). At the very least a sample server should have been included.

Additionally, the repositories are read-only, there is no way for the community to provide fixes or improvements.

In addition to this, the Privacy Amendment (Public Health Contact Information) Act contains extremely ambiguous wording around what a researcher may legally do with this application. As a result, the Government has made it extremely unappealing to try and help them.

Community Response

Appendix - Terms and Conditions for access to COVIDSafe App code

By accessing the App Code I accept and agree to the following terms:

  1. If I distribute the App Code to anyone else, I will ensure these terms are provided to them and are not deleted.

  2. I agree to access the App Code for the purpose of obtaining information about the COVIDSafe App only.

  3. I understand and agree that the App Code is provided on an as is where is basis, that the App Code may be updated over time, and that the DTA and the Commonwealth have no liability whatsoever in connection with my access to or use of the App Code.

  4. I agree to stop all access and use of the App Code if requested by the DTA.

  5. I will not use the App Code for any product development purposes.

  6. I will promptly report to the DTA on any actual or potential security vulnerabilities I become aware of in respect of the COVIDSafe App.

  7. I am responsible for any costs of third party claims associated with my access to the App Code, and must pay those claims on request.

  8. I understand and agree that:

    a. the DTA will collect information about me and my access to the App Code, and any feedback, comments, or other information that I post on GitHub in connection with the App Code (and I understand that this information may also be seen or accessed by other users of GitHub who have been given access to the App Code);

    b. the DTA may use that information for the purposes of managing my access to the App Code, and to consider any feedback, comments or other information that I provide in relation to the App Code or the COVIDSafe App;

    c. the DTA may disclose that information to other Commonwealth agencies and their contractors for the purposes of improving the App Code or the COVIDSafe App, or as required for public accountability and reporting purposes, but DTA will de-identify personal information before disclosure wherever reasonable and practicable (GitHub, a company based in the US, may also handle your personal information in accordance with the GitHub Terms and Conditions); and

    d. further information about how DTA will handle personal information, and my rights to complain or access or correct my personal information, is available at DTA's Privacy Policy.

Atrribution

The COVIDSafe App - 4 week update by Jim Mussared and Eleanor McMurtry was used as the baseline for this submission.

Appendix - Timeline

Day Date Notes
0 26/04/2020 COVIDSafe app launched
1 27/04/2020 First long-term tracking issues reported to privacy@health.gov.au, ASD, Maddocks (author of the PIA). First reports of the app interacting poorly with other Bluetooth devices (e.g. Continuous Glucose Monitors).
2 28/04/2020 First four issues described in a single document that was distributed widely to the relevant teams (both through official and unofficial channels).
4 30/04/2020 First contact with Singapore OpenTrace team. TempID caching issue fixed same-day. The Singapore team confirms that iPhones in the background are “not expected to work”. ASD confirmed that they will “follow this up”. No further contact. The Cybersecurity CRC confirmed that they have forwarded this doc but are extremely dismissive of the findings. No further contact. Maddocks replied and promised to forward the doc. No further contact.
8 04/05/2020 First contact with DTA. v1.0.15 & v1.0.16 (Android) released containing only updates to graphics and animations and some minor text changes. The only issue fixed is the confusing wording raised by Geoff. risky.biz publishes a high-level summary of the known issues at this stage.
9 05/05/2020 v1.1 (iPhone) released. DTA confirms that they were first aware of the issues on 30/04/2020, but our contact still had not read the document. Full details of CVE-2020-12586 shared with the ASD/ACSC and DTA
10 06/05/2020 DTA CEO questioned by the Select Senate Committee on COVID-19. Topics include the iPhone background behavior and engagement with the tech community. Richard Nelson discovered the remote iPhone crash, reported to DTA.
12 8/05/2020 Source code of v1.0.16 (Android) and v1.1 (iPhone) released, confirming that there are no differences in the Bluetooth implementation to the upstream Singapore codebase.
13 9/05/2020 Same issues discovered in the ABTraceTogether app used by Alberta, Canada. Emailed, and Skype meeting arranged within 24 hours.
17 13/05/2020 DTA confirms that there will be a release tomorrow to fix the iPhone crash but it will fix none of the outstanding privacy issues.
18 14/05/2020 v1.0.17 (Android) and v1.2 (iPhone) released. Contrary to advice from the day before, fixes the first two privacy issues (along with the remote iPhone crash). DTA asked (via SMS to Jim Mussared) for availability to discuss fixes for CVE-2020-12586 in the next couple of days. Jim offered that they can call any time, but then they never followed through on arranging a time. No further contact received from the DTA, all follow-up emails ignored. (Edit: update after this doc was published, see below)
19 15/05/2020 Source code of v1.0.17 (Android) and v1.2 (iPhone) released.
20 16/05/2020 Source code of Alberta, Canada’s ABTraceTogether released. None of the issues raised on 09/05/2020 have been fixed.
21 17/05/2020 v1.3 (iPhone) released.
22 18/05/2020 Source code of v1.3 (iPhone) released. iPhone crash fixed in Singapore OpenTrace.
23 19/05/2020 Full details of CVE-2020-12586 shared with the Singapore & Alberta teams (and other affected countries).
26 22/05/2020 iPhone TempID expiry issue raised with DTA (and Singapore & Alberta).
29 25/05/2020 The The COVIDSafe App - 4 week update document was released publicly. 26 minutes later, update from the DTA with a planned release date for “the remaining Bluetooth issues”.
30 26/05/2020 v1.4 (iPhone) released and available to download, source code partially available same day but unable to compile as source code is missing. v1.0.18 (Android) source code released but Android application but not available to download from the app store.
32 28/05/2020 Submisisons for the Australian Senate Select Committee on COVID-19 close.

Appendix - Google Android Changelog

Version Date Comments
v1.0.11 2020-04-26 Initial Release. Implementation in serious breach of privacy policy. Contained text that caused public panic - "You have COVID19"
v1.0.15 2020-05-04 Brand new coat of paint and did not resolve privacy breach. Accidentally added 20 second pause to the launch screen.
v1.0.16 2020-05-04 Removed 20 second pause from the launch screen.
v1.0.17 2020-05-14 Partially resolves privacy breaches.
v1.0.18 2020-05-27 Source code released but application not available for download from the app store. Analysis pending.

Appendix - Apple iPhone Changelog

Version Date Comments
v1.0 2020-04-26 Initial Release.
v1.1 2020-05-05 Debug view removed, updated design and removed com.googleusercontent URLScheme.
v1.2 2020-05-14 Largely fixed background behaviour. Implemented the fix for CVE-2020-12717.
v1.3 2020-05-14 Removed daily notifications to remind users to keep app in foreground.
v1.4 2020-05-26 Application released, source code was partially published but unable to compile as files are missing. Analysis pending.