Australian researchers have published the findings of a study that raises further questions about the implementation of COVIDSafe contact detection, which was released by the Australian federal government as part of its pandemic. COVID-19:. Jim Mussared of George Robotics and Alwen Tiu of the Australian National University identified a "silent" problem in applications detecting contacts based on Bluetooth, this time on Android devices. It is a vulnerability that can allow an intruder to be silently connected to one another Android device running a vulnerable version of the application. The login process involves exchanging permanent victim IDs: the IP address of the Bluetooth device and a cryptographic key called the Identity Resolving Key (IRK). One of these IDs can be used for long-term surveillance of a phone by an attacker. Explaining the research findings, Mussared said that this vulnerability is very likely to allow an attacker to silently connect to a user's phone while running the COVIDSafe application. Specifically, he pointed out that as soon as the pairing is done, the attacker is given the opportunity to permanently monitor the phone, even after uninstalling the COVIDSafe application or even resetting the phone to factory settings. The way this is done is with the MAC address report, which will respond to L2CAP pings, he added in a tweet. Vulnerability referred to DTA 45 days ago and was repaired with COVIDSafe version 1.0.18 24 days ago.
Mussared said it was "really great" that the DTA was able to find a solution to this problem, but expressed concern that the COVIDSafe application depended on the use of Bluetooth in a way that was not designed for it. Connects to any unreliable device that happens to be within range. This issue was a consequence of not using it Apple / Google Exposure Notification API. If the EN API was used, the application would be more functional, reliable and secure. While the local version is stable, vulnerability can affect many other contact detection applications that have similar architecture, such as Singapore's TraceTogether and Alberta's ABTraceTogether.
The UK has decided to abolish its own tracking application, and will rely on its APIs. Google and Apple. Although not a viable solution, at this point an app based on Google's or Apple's API appears to be likely to face some of the limitations identified through testing, according to the UK's Ministry of Health and Social Welfare. However, there is still much to be done regarding the Google and Apple solution, which does not currently estimate the distance in the required way. Earlier this week, it was revealed that the DTA was aware that the COVIDSafe application had serious flaws, despite promoting it for public use on April 26, 2020. In addition, according to the survey, the locked ones iPhone transmit data in “bad” rating. Software engineer Richard Nelson published research showing that locked iPhones were virtually useless for recording through the COVIDSafe app. He also mentioned that a locked iPhone with ID that has expired can not create a new ID and that without the ID the device will detect other devices around it, but it will not be detectable by other devices.
The DTA reported in May that tests were performed on the operation and performance of the Apple iOS and Google Android versions of the COVIDSafe application prior to its release. In particular, 179 functional tests were performed. Performance tests were also performed according to the technical requirements. The DTA told ZDNet that it continues to receive feedback on the COVIDSafe application from developers, noting that it will continue to release updates to it in order to offer a range of performance, security and accessibility improvements as required. Finally, he stressed that the Australian community does not need to worry, as the application works safely and effectively. As of last Friday, more than 6,3 million Australians have downloaded the app. For similar applications in other countries, Germany's "Corona-Warn" application reached 6,5 million downloads within 24 hours, which means that it was downloaded by about 7,8% of the country's population.