In less than four hours after the COVIDSafe app was launched on App Stores on Sunday 26th of April, more than one million Australians had voluntarily downloaded the app to help track down people who may have been exposed to COVID-19. The Australian Government had estimated that it could take up to four to five days to achieve one million downloads, however, this extraordinary take up rate sends a strong signal that Australians are willing to ‘trust’ the government and do their part to help eradicate COVID-19.
What Happened to Zero Trust?
Zero trust is a security model based on the principle of maintaining strict access controls and not trusting anyone by default. It ensures we only allow the access or privilege of entities that we know are truly safe. However, in the past decade our acceptance of the rights of mobile phone apps can be considered careless and uninformed. Too often we click ‘Accept’ without actually reading the Terms and Conditions and by-design, apps are accessing data covertly and without breaching any data laws. Naturally, we become sceptical when a new COVIDSafe app is released by our Government that openly details the tracing and usage of our data.
Ultimately, the data stored and tracing methods used by the COVIDSafe app is relatively small scale when compared to the likes of Google, Apple, Facebook, Instagram and even WhatsApp to name a few.
The Source Code
Unfortunately, there has been no release of the COVIDSafe app Source Code as was done in Singapore. The Source Code is the actual coding used to create the app and allows the public to analyse the data usage openly and put any doubts to rest. The Minister of Health has proposed the release of Source Code within two weeks following an in-depth Security analysis.
For those who are sceptical about security, it may be wise to wait until the code is released, and get the opinions of experts before you download the app.
When does the COVIDSafe App Store Data?
The COVIDSafe app does not store any data at any given time unless certain parameters are met. The app pings the Bluetooth on a device once per minute to analyse nearby devices. The advantage of using Bluetooth is that the signal strength can be used to estimate distance, coupled with a total of fifteen repeated pings of a nearby device, means that an individual may have been within close proximity of another individual for more than fifteen minutes. Those fifteen pings are the threshold for when the app actually stores data locally on a device. The app does not require mobile data to function ensuring greater statistical accuracy.
Contrary to the belief of many:
- There are no location tracking capabilities despite the app requiring location access. Google and your network provider will have more location tracking information than the app.
- The app does not actually monitor GPS data to track the movement history of the public.
- The app does not collect your email address or any highly sensitive information.
The app will capture & store:
- Basic user information data (name, age range, postcode and phone number) collected when you sign up.
- Bluetooth history is only stored if a smartphone is within close proximity of another device for 15 minutes or more.
- This log is also stored locally on the phone and is not distributed to any person or department.
Who Has Access to the Data?
Control over the data collected is still within the rights of the user up until when the user decides to submit the data. Once the data is submitted, the privileges change and removal of the data becomes a little more complex. When broken down into greater detail, this is what it really means:
- A user may decide to submit log information when they test positive to COVID-19 or if they have come in contact with someone who has just returned a positive result. A user will be notified with a completely optional Two-Factor confirmation (such as a Text Message confirmation) before the data is sent to Health Departments. The purpose of these logs is to strengthen tracing in the fight against the disease.
- These logs are only visible by Health Departments. Commonwealth and Law Enforcement have no access to the information and so no fines can be issued as a result of proximity breaches. The Biosecurity Act 2015 is currently being modified to accommodate the app and these restrictions. If any non-health related departments access the app or there is any secondary use of the data, there are penalties of up to five years imprisonment.
- The app can be deleted anytime which will immediately wipe the locally stored data from your device. If any data was submitted by a user to the Secure Storage accessed by Health Departments, this data will not be destroyed until the end of the COVID-19 Pandemic or unless a data disposal request is submitted through a link in the app store.
- The transmission of data from the app to Secure Storage is also unknown at this point. If the transmission method uses poor encryption or can easily be intercepted, this could result in wide-spread data theft.
- We understand the data will be kept in Australia. It is reported that all data sent by users from the contact tracing app would be stored by the American technology giant, Amazon Web Services.
Data Storage at Rest
Data at rest (stored on servers) is exposed to risk and often is the target for hackers. Whilst we can take all the security precautions when collecting data on our phone, looking at the app source code and when transmitting data to Health Departments, data security at rest is critical. It is important that Health Departments have robust layers of security over storage and appropriate user access controls.
This is where the plot thickens. Although the data that users willingly submit is stored in Australia using Amazon Web Services (AWS), a document known as the CLOUD Act permits US officials to access AWS data with an issuing warrant. While US access to the data can be denied as the AWS stored data will remain in Australia (as governed by the Biosecurity Act 2015), it raises the question as to whether this may change at any given time and if users will be notified of this change.
The Security Behind the App
On the outside, the COVIDSafe app appears to be well and truly designed to perform in the interest of public health and safety. There is no black magic at play to seek revenue or attain control over a nation. If we peel back the layers of the app to look at the technology it uses, this is what we find:
- The app uses an encrypted identifier for each device which is currently on par with the encryption used by banks and major financial institutions.
- There are concerns with the access by Health Departments and whether their infrastructure is designed with security in mind. Any part of a corporate network that has weaknesses poses a risk to the entire infrastructure. A small, outdated network in a forgotten office could spell disaster for large amounts of private user information used by Health Departments.
- Health Institutions have always been a target for hackers and even more so during the COVID-19 pandemic. With the influx of large amounts of user data, Health Institutions will become an even greater temptation for hackers, especially those hoping to commit identity fraud.
The Truth About Bluetooth Security
While the app may have many security considerations, there is also the issue of the Bluetooth Protocol. Since its conception, there have been nine versions of Bluetooth to battle the need for greater speeds, but also the concerns with inherent security limitations. Despite it being a very common connection method, it does have its flaws and its usage should be limited unless necessary. This is why Bluetooth is a risk in itself:
- Having Bluetooth constantly enabled on a smartphone is a security risk.
- Bluetooth hacking is a very common and very simple technique that allows an attacker to obtain complete control over a device including access to photos, contacts, internet data and even locking the owner out of the device permanently. It is important to stay vigilant and not accept any unsolicited file transfers or requests from unknown devices.
- Bluetooth hacking can be performed from up to 100 metres away, with an attacker being able to mask their identity and with enough skill, access a device without the user even being aware.
- While Bluetooth is enabled, be wary of other apps and their permissions, a simple oversight. Popular social media apps have access to vast amounts of private user information that can be resold or used for pesky advertising. This data can be resold many times before it reaches an end, sometimes falling into the hands of a shady organisation.
How Does it Perform?
There are growing concerns around the reliability of the app and its battery usage with many users complaining that the battery life of a device diminishes faster than expected while it is running. Many iPhone users are reporting that the app is unstable and requires the device to be unlocked for it to actually identify proximity concerns. These issues may call for updates or bug fixes in future versions which raises concerns around the consistency of the scope and agenda of the app. With each new release, the Terms and Conditions of the app may be altered and users who often shrug this off, could be in for an unexpected breach of privacy.
Are There Alternatives?
When all is said and done, the Source Code is released, and we have all the facts about COVIDSafe before our very eyes, security is an ongoing battle and vulnerabilities will always exist. If you are one to stray down the path of paranoia and are struggling to come to terms with a government-funded tracing app, there is always one tried and true technique that has been used for centuries.
Keep a manual log using a pen and note pad to record places you’ve been and people you are in contact with. Given social distancing and restrictions, this is not a huge burden. But when restrictions ease, this could be cumbersome. Alternatively, you can use a Notes app or your Calendar to keep a record and this should be adequate for health departments to trace infections when required.
Would we Download the COVIDSafe App?
Well, some of us have already downloaded the app and some will wait until the source code is available and has been reviewed. From a cyber risk and security perspective:
- The app is less intrusive in terms of data collection and location tracking services that many of the most popular apps like Facebook, LinkedIn and Instagram.
- Tech giants that include Google, Apple and your mobile network service provider would know more about where you’ve been that the COVIDSafe app.
- CCTV (closed-circuit television) monitoring, primarily for surveillance and security purposes in cities, towns, shopping malls would know more about where you’ve been that the COVIDSafe app.
- Most of us that already have a computer, smart phone, email account, phone number, credit card, bank account, loyalty or rewards card and health care card have handed over millions of bytes of data about ourselves and are already susceptible to risks of phishing attacks and cyber fraud.
Whilst the app does expose people to some additional cyber risks, compared to the current level of cyber risks most of us are already exposed to, the increase in risk is relatively small. In addition, the app can be deleted/uninstalled anytime and it is completely optional if the user submits their information.
Be cautious of future upgrades too. The functions and features of the app today can change anytime and consequently the level of risk associated with the COVIDSafe app will also change.
How we can help
InConsult is committed to helping organisations become more resilient to cyber risks. We have extensive experience in risk management, cyber security, crisis management, business continuity, emergency management, disaster management and pandemic planning.
If you would like to know more about our cyber risk services, contact us to discuss your needs.