Article:

What you need to know about the Australian Government’s COVIDSafe application

30 April 2020

Matthew Bunker, Manager, Cyber Security |

The COVIDSafe application recently released by the Australian Government has come under much public scrutiny. Concerns have been levelled at the privacy of personal information and tracking of individual movements. What the media and industry commentary has highlighted is a level of public unwillingness to believe the government is not trying to spy on Australian citizens.

The Australian Government has passed some unprecedented legislation regarding the use of information in the application. The Department of Health is the information custodian, making it the only department authorised to access user information provided via the COVIDSafe app. Not even a warrant issued by an Australian Federal Court can subpoena information from the National COVIDSafe Data Store.

The application is controlled by the Digital Transformation Agency and information is being stored in Australia in an Amazon Web Services (AWS) data centre at the Protected level.

How the application works

The intention of the application is to aid in the reporting and tracing of COVID-19 cases across the country.

To achieve this in a secure way, it employs a range of digital technology methods. Here are the key facts.

  • COVIDSafe uses Bluetooth to record ‘digital handshakes’ with users that come into close contact with each other (1.5 meters).
  • A 'contact' is stored in an encrypted partition of the application each time a user comes into contact with another user. The date, time, duration and distance are recorded.
  • All data is stored in the application, including user IDs and digital handshakes with other users, and is deleted every 21 days.
  • The application does not record your location, nor the location of any people you come into close contact with.
  • The National COVIDSafe Data Store will automatically generate new unique IDs every two hours, and send these new unique IDs to the user’s application.
  • Encryption keys are generated and stored in the National COVIDSafe Data Store.

So what does this mean?

The ACSC (Australian Cyber Security Centre) has awarded AWS the highest level of data security classification available in Australia for cloud applications. Given the federally mandated requirements to achieve such a classification, this significantly limits the types of threats that could exploit information in the National COVIDSafe Data Store.

The encryption standard used would need to comply with this level of classification, and although there has been no reporting of what encryption level this is, current guidelines from the ACSC suggest it would be at least AES128 bit encryption.

Advanced Encryption Standard has never been cracked and is safe from brute force attacks.

Using the application

If you have not seen the application for yourself, you may be wondering how it works when downloaded onto your mobile device. This is what you can expect.

  • When the application has been downloaded, the user is required to enter the following information:
    • Full name (can be a pseudonym)
    • Mobile number
    • Age range (can be false)
    • Postcode (can be false).
  • The National COVIDSafe Data Store confirms the mobile number by sending a one-time six-digit code in a SMS text message, which needs to be entered into the application.
  • A unique temporary ID will then be generated by the National COVIDSafe Data Store. This ID is then sent encrypted to the user’s application and stored there. This will change every two hours.
  • Unique ID reports are stored encrypted in the National COVIDSafe Data Store.
  • The application must be left on and running in the background for the digital handshakes to be most effective.
  • Applications perform a digital handshake with each other using Bluetooth technology. These contacts are stored on the user’s phone in an encrypted partition.
  • The COVIDSafe application does not interact with any other application on your phone, like many other applications do (e.g. Facebook).

So what does this mean?

The only information held by the National COVIDSafe Data Store is the phone number of the individual and a rotating unique ID, all other information can be anonymised by the user if they wish. If not anonymised, the most information the COVIDSafe National Data Store would hold is a user’s full name, age-range and postcode.

To put this in perspective, if you use applications like Uber Eats, a foreign-owned company has your home address, phone number, full name and credit card details stored in their database.

The information contained within the National COVIDSafe Data Store is not that attractive to cyber criminals looking to exploit the information for financial gain. The biggest threat exists from cyber criminals exploiting COVIDSafe by sending emails and SMS messages with malicious links that trick users into downloading malware (as is the case with all other institutions that hold your personal information, such as banks, loyalty programs, telecommunication companies).

To breach the National COVIDSafe Data Store would require a complex attack conducted by a well-resourced and highly skilled cyber threat actor group (e.g. Nation State). The intent would be more to cause reputational damage to the Australian Government than to steal anonymised phone numbers.

Information privacy

Many people have been worried about the privacy of their information. Here’s what you need to know.

  • The application is opt-in – opt-out. Users can delete the application and any contact information stored on the device at any time. If information has been uploaded to the National COVIDSafe Data Store it cannot be deleted by simply deleting the application.
  • Information about other application users a user has come into contact with is stored encrypted on the user’s phone. The unique ID changes every two hours, therefore, a compromised device would not allow a cyber threat to obtain the identity of a user.
  • If a user tests positive to COVID-19:
    • A Public Health Official will ask them to upload the digital handshake information into the application.
    • The Public Health Official will enter the user’s phone number into the National COVIDSafe Data Store and the user will then be sent a one-time six digit pin, which they will need to enter into the application.
    • Once the pin has been entered into the application and the user has given their authorisation, their contact information will be uploaded to the National COVIDSafe Data Store.
    • Only authorised State and Territory contact tracers will be provided access to the “positive” user’s contact information, to perform their role as contact tracers.
  • The Australian Department of Health is responsible for controlling the access to the information.
  • Through the Department of Health, users can request a copy of information held in the National COVIDSafe Data Store.

So what does this mean?

The application has a number of very good technical and process controls in place to minimise the threat of personal information being exploited. The changing unique ID and encrypted partitioned storage on a user’s device make it highly improbable that it could be exploited by a cyber attack.

A number of processes are in place to ensure users’ information is treated with the utmost diligence.

Segregation of duties in approving access to the National COVIDSafe Data Store and users having to authorise the uploading of data through multifactor authentication, significantly reduce any risk of improper use of information.

Technical specs

All reports suggest thorough testing has been taken prior to the deployment of this application. In fact, several application developers and researchers have decompiled both the Android and iOS version of the application and no significant security flaws have been identified.

It is important to note that no GPS and location tracking or unexpected server communication with the application is taking place. Also, no behaviours outside those the application states it is capturing are being recorded.

COVIDSafe appears to follow best practices including pinned certificates and mandatory HTTPS, information stored in the application not being available to other applications, and the segregation, encryption and controlled access of information.

So what does this mean?

The application is using source code that has been thoroughly tested and is available in open source. The independent research into the engineering behind the application confirms it is performing as has been stated by the Australian Government. The BDO Cyber Security team has downloaded and is using the COVIDSafe application. 

If you would like to learn more about this application or the cyber security measures you should be considering in the current climate, please contact our Cyber Security Team.