COVIDSafe is the name given to an app launched by the Australian Government in order to help with contact tracing. COVIDSafe implements the opensource BlueTrace protocol which uses Bluetooth to exchange ID codes with devices that are within 1.5m of each other for a time period of 15 minutes – Although some testing has shown this distance and time can vary.
With the release of COVIDSafe came misinformation about the app tracking your location. Many people jumped on social media to express their concerns regarding location tracking and the information required by COVIDSafe. The irony here being that many people have happily shared their name, phone number, location, and even more personal information with companies such as Facebook, Google, and TikTok, and that your phones location can be tracked at any time by your service provider using network triangulation.
COVIDSafe requires Bluetooth to function. Bluetooth has had known vulnerabilities. These tend to be low risk as the attacker needs to be in close vicinity to be successful in attacking your device, but still dangerous nonetheless.
There is a good chance that you already use Bluetooth to connect to you car, your fitness tracker, or your speakers. Having Bluetooth turned on is a requirement for running the COVIDSafe app, and for most people this is something they are already running so it not introducing any extra risk.
When Bluetooth is enabled you will be broadcasting the name of your device: “John’s iPhone” or “Galaxy S10”. This is mostly a privacy risk as your phone may be broadcasting your name to people nearby. There is also the security risk of broadcasting the model of your phone to a potential attacker, giving him more information needed to compromise your device.
These issue existed before COVIDSafe although have they been more publicised since the apps release. It is simple enough to change your device name by following steps provided by Apple (iOS) and Samsung (Android).
COVIDSafe uses the BlueTrace protocol. BlueTrace is open source software. This means that anyone is able to review the code to ensure that no backdoor have been added by the developers. The COVIDSafe app is also opensource and can be viewed on GitHub.
There were talks of moving to Exposure Notification Framework developed by Apple and Google to improve the reliability of the app. The government decided against this because it is not compatible with the BlueTrace protocol meaning people using the BlueTrace version would not exchange IDs with the users of the Exposure Notification Framework version. To use Exposure Notification Framework, users would be required to update their mobile devices operating system. This mean anyone who cannot update to the latest version of iOS or Android would not be able to use COVIDSafe. At this stage COVIDSafe is staying with the BlueTrace protocol.
COVIDSafe relies on Bluetooth to send and receive ID codes between users. The app needs to be opened regularly to ensure that it works effectively. This is especially important on iOS devices where there are limitations on how Bluetooth is used by apps when an app is left running in the background. It is recommended to open the app before going out in places where you will contact many people. If you’re out for the day check it is still running throughout the day. Once running the phone can be locked as normal.
This registration data is uploaded a database stored on Amazon Web Service (AWS) if an attacker was to gain access to the data they would need to decrypt the data before they could gain any information from it. AWS is one of the largest cloud computing platforms and is already used by Government, Banking, and other business that you deal with daily.
COVIDSafe records the following data:
- Encrypted user ID – ID codes are temporary and are rotated frequently. This stops a malicious actor from tracking your ID by sniffing Bluetooth traffic
- Date and time of contact
- Bluetooth signal strength of anyone you come in contact with
A new encrypted user ID is created every 2 hours. This is logged in the national COVIDSafe data store operated by the digital transformation agency. No location data is collected at any time.
This information is also recorded on other users devices and the data is automatically deleted after 21 days.
It is also possible for your to delete your sign up data if you decide to stop using the app. You can do this at the following website: https://covidsafe-form.service.gov.au/
The app isn’t perfect. As outlined in this article published by The Guardian, “The federal government’s COVIDSafe contact tracing app works as few as one in every four times for some devices, documents tabled in the Senate have revealed.”
The devices in question is iPhone, which as outlined earlier, requires the app the be opened regularly for it to work efficiently. For more effective contact tracing COVIDSafe would need to move to the Exposure Notification Framework, which as outlined earlier is not going to happen.
The ABC reported that “the information logged by the app provided no information that was not already collected through traditional contact tracing.”
While this means contact tracing teams are doing an excellent job, it’s possible that with low cases, the app is no more effective than traditional contact tracing. If cases increase, COVIDSafe might be able to automate the process of contact tracing thus lowering the manual workload.
Whether or not you choose to install COVIDSafe, please remember to wash your hands and keep your distance. And if you’re experiencing cold or flu-like symptoms, stay home and speak to your doctor about getting tested