What you need to know
- There's a critical flaw in Australia's COVIDsafe app on iOS.
- When you lock the app on iOS, it can no longer retrieve the random number used to identify you.
- That means your device can't be logged by others around you.
A critical flaw has been discovered in Australia's COVIDSafe app which stops a locked device from retrieving a new random identification number.
New TempIDs cannot be retrieved when a device is locked. This results in a locked device which has an expired TempID with behaviour:
As peripheral, not providing its TempID to devices which ask for it and, As central, not being able to write to a peripheral its TempID
It will record a device acting as central which writes to it. A device in this state will record other people around it, but will not be recorded by others. If all relevant devices are in this state, no encounters are logged.
The example he uses is of someone locking their iPhone and putting it in a bag and going out for the day. Whilst the phone remains locked and unable to fetch a new random identifier, no other devices they come into contact with will lodge that device as a contact. If two devices in that state come into contact, no contact will be lodged at all. In real term impact, if that person was to come into contact with someone carrying COVID-19, they would not receive a notification about the encounter after the fact. Commenting on Twitter Nelson stated:
How can this go so poorly? This is another bug that may have lead to comments that the quality "deteriorates" as device goes to locked, but again, it's not a result of iOS Bluetooth, it's simply a bug in COVIDSafe.
Code was "reviewed by government security agencies, academics and industry specialists"
Out of all of these, did nobody say "Hey, it stores a secret in Keychain. Is key material available/unavailable at appropriate times?" This is really basic stuff when storing encrypted data.
The Australian government has previously admitted its iOS app was not working as expected due to restrictions placed on its use of Bluetooth, due to the fact it doesn't use Apple and Google's API.