The Get Cyber Resilient Show Episode #15

This week Gar does a deep-dive into the security of the COVIDSafe app with the CIO of Allens, Bill Tanner. Bill has over 12 years experience in the legal industry and has some unique insights on the COVIDSafe app that were gained from evaluating the app for his staff. Bill shares his thoughts and experiences from attending a recent app teardown session conducted by Geoffrey Huntley, who is leading a local research group on COVIDSafe security and privacy. Gar and Bill explore exactly what the app does and doesn’t do, the privacy concerns as well as the legal issues surrounding it.

Security research on the COVIDSafe app: https://covidsafe.watch/

Links to some great articles and research from Allens on the COVIDSafe app:
COVIDSafe – What we now know: https://bit.ly/361Jozo
COVIDSafe Bill – Good progress but theres more to do: https://bit.ly/2yWNrRu

#COVIDSAFE #cybersecurity #cyberresilience #getcyberresilient

The Get Cyber Resilient Show Episode #15 Transcript

Gar O'Hara: [00:00:00] Welcome to The Get Cyber Resilient podcast. I'm Gar O'Hara. And this week we do a deep dive in the COVIDSafe app with Bill Tanner and who's the CIO over at Allens. Bill comes with a 12 years experience in the legal industry and with the release of the COVIDSafe app, he needed to evaluate its use by the Allen staff.

As part of his research, he attended a tear down session conducted by Jeff Huntley, and Jeff is leading a local research group on the app and its security and privacy. We cover exactly what the app does and what it doesn't do. We talk through some of the issues around privacy and there are some, but the general consensus so far is that they are low risk. We touch on the legal side where Allens have published some great papers and they're in the show notes, and they're definitely worth a read. I highly recommend those. So over to the interview and as always, I hope you enjoy. Welcome to the Get Cyber Resilient podcast. This morning I'm joined by Bill Tanner from Allens. Good morning, Bill.

Bill Tanner: [00:01:02] Morning Garret. How are you?

Gar O'Hara: [00:01:04] I'm doing well. Thank you. Um, we, we were chatting recently about the, the COVID app and, um, you've done a fair bit of work in that space for Allen. So I thought it'd be awesome to maybe get you on and, and have you kinda discuss it. Can you, for the audience just kind of give us a brief run through of, of who you are and what you do.

Bill Tanner: [00:01:21] Yeah, sure. Thanks for having me today. Um, so I'm the chief information officer at Allens. Uh, we're an international law firm with offices throughout Australia and Asia. Uh, I have a history of web and software development with a core focus on delivering business efficiency through automation and business process re engineering. Uh, as the CIO at Allens, my focus became one about risk and security, both for the firm and our client data, um, all while planning business improvements and efficiencies.

So I, I enjoy that balance of pushing the business forward and also making sure we do it in a secure and balanced way. Um, so that's kind of what took me into, um, looking into the COVIDSafe app. I wanted to make sure I was comfortable that our people were installing that on phone devices. Um, and of course that I was personally comfortable installing it as well from a, from a privacy perspective.

So while I was considering the technical side, we had our legal teams looking at, um, and reviewing the app from a legal perspective. Um, so yeah, I kind of had a good balance to be able to get both perspectives and hear, hear from that as we were going through the review.

Gar O'Hara: [00:02:28] Awesome. And, and look, one of the things that I, I think it's fair to say is that there's been some misunderstandings on what exactly the app does, um, you know, how it works, you know, as part of your kind of research into it. Do you mind running us through what the, the COVIDsafe, uh, COVIDSafe app actually does functionally.

Bill Tanner: [00:02:45] Yeah. Sure. Um, and, and before I go into that, I've got to give credit to, to a lot of this. Um, I attended a tear down, um, technical head tear down on the 29th of April that was hosted by a- a number of, uh, security and application developer experts, two of which, um, Matthew Robbins and Jeffrey Huntley walked us through the Android application source code. So a lot of my information, uh, comes to come to, comes to you today from that. Um, so it's also worth describing as I go into this, that any of these views are, are my own and not in, in any way in the position of Allens. So I just wanna make sure I get that legal disclaimer out there. Um, so-

Gar O'Hara: [00:03:24] Absolutely.

Bill Tanner: [00:03:24] ... back to the app, back to the app. Um, there are three core components to it. Um, there's the Bluetooth side, the broadcasting and receiving, um, the bro, uh, Bluetooth signal, that's the storage and then how it then manages the upload to government servers. So the, the, the first section with the broadcasting, as I mentioned, there's the Bluetooth, there's broadcasting and there's receiving.

Broadcasting essentially just says, hey, I'm the COVIDSafe app, this is my, uh, unique ID, my user ID. The receiving side of that says, looks at, for other COVIDSafe app, grabs that user ID that has been published, the Bluetooth signal strength, um, and the device type. And so that's what's broadcast and that's what's coming back. So that's a key component to this. Um, the, the next major step is then the storage.

So what the device actually does locally with that information. So it stores that information in a database that only the application itself can access, so that the risk of any other application, um, hacking into that local storage is, is minimal or nonexistent because it's using, um, the out of the box, um, iOS or Android operating system controls to make sure the security of that database is maintained.

Um, it also, the way it stores that information is as it enters new data, it automatically deletes data older than 21 days. So for me, that was quite important as we were reviewing, um, what the government was saying about the app that the technical validation was, was true in that as well. And then the third component is the upload. So the a- access to that data that is stored on, on the app itself, um, can only go to government servers once it's endorsed or approved by, um, the user themselves.

And there's a verification piece to that. So once you click allow or upload to government servers, you then get a, like a two factor authentication pin code sent to your phone that you enter into the application, allowing that data to be uploaded back to the government servers. And for me, that's a really important point is even though the starter is being stored on the device, you still have the choice to upload it to government servers when you, when you want to, or when you're requested to and when you're comfortable to.

Um, so as through that tear down, it was really good to see that the way those things were implemented, um, didn't expose, um, vulnerabilities that are only implemented in a single place, uh, and wracking a, a really quite a, a good, um, well engineered application. Another key part for me in the tear down was, uh, the check that, um, location information wasn't being stored. And, um, what we s, what we saw on the Android application was the GPS classes weren't even implemented. So it can't track or store location in the implementation. And what we saw on the database code, was it again, only stored that Bluetooth information that was published.

Gar O'Hara: [00:06:32] Absolutely. And, and I think that for me was one of the, the, the when the conversation started on COVIDSafe app and it was a fairly robust, and it felt almost divisive conversation that happened within the security community on, on COVIDSafe. And I think rightly so, like it shows a healthy, uh, interest in what the app was. But one of the things I think was really misunderstood was that it was a location tracking application as in, you know, there was a, a big room in some government's building where there's a huge map of Sydney with a little, uh, dot showing the location of, you know, Bill Tanner and G- Gar O'Hara, almost like one of those old school kind of cop shows, but it really isn't that right.

It's, it's proximity tracking, um, and really only tracking people who have the app installed and proximity to other app users. So like in, in terms of the actual data to me has always kind of seemed like it's fairly, uh, low risk. Um, so look at this point and again, understanding that it's, it's you commenting, but like, as part of your testing fronts to make sure this was safe for your stuff, like, what, what are your thoughts? What were your findings in terms of its safety for, for your stuff?

Bill Tanner: [00:07:40] Yeah. So my, uh, my early days, my focus was two fold. It was one did the app put our data at risk? Um, and did the app do what the government said it did? Um, so I combed through the FAQ that the government put out there, um, prior to attending that tear down. So I was trying to, um, create that checklist of, um, was it doing what it said it would do? Um, and the findings were that, that was consistent. So the FAQs was how the application was, was implemented, which was great.

Then through the way those components that I was mentioning earlier were, were implemented, uh, there wasn't anything that I saw that exposed, um, the data on people's phones to any additional risk. So from a client and from data perspective, um, I couldn't see any, any reason not to install the application. Then of course, um, you then take it into a personal privacy, uh, perspective.

And that's where we defer to our local teams for their advice on that. Um, but it's always something that, that I needed to be comfortable, comfortable with myself. Um, so when I put my position out there, I was saying my own personal choice is I, I've installed the application and I have, and I still have it on my phone. Um, and rather than trying to coerce or, or influence anyone's own personal decision, I was just making a statement around what I've done based on a technical review and, um, of the application itself. So yeah, there, is there privacy concerns? Yes. Is, um, but there's, there's privacy concerns with every application we choose to use. Um-

Gar O'Hara: [00:09:22] Yep.

Bill Tanner: [00:09:22] ... so I use Google Maps often. It tracks a lot more than this application does for, for example.

Gar O'Hara: [00:09:28] Yup. 100%. And, and the, even the idea that, uh, many people are voluntarily using social media apps on their phone and, uh, you know-

Bill Tanner: [00:09:38] Yes.

Gar O'Hara: [00:09:38] ... what, super cookies and then just, I mean, to be honest, regular cookies and, and all the information that people willingly give out about their daily habits, um, I would say even things like smart watches tracking very personal information, like your heartbeat, level of fitness, your workout areas. Um, it, it is an interesting, sort of almost cognitive dissonance in some ways where people are, you know, happy to give away way more information to private enterprises.

Um, but then when it seems, seems to me certainly like it's, it's, it's a less amount of information and low risk information that, um, you know, there was such a, uh, a furor over it. But I guess I think it shows a healthy skepticism. I think that's a really good thing actually in our industry is to not kind of blindly assume that everything is okay. And-

Bill Tanner: [00:10:24] Yeah, I absolutely agree. And I, I think the government, um, pushing and saying, we really want everyone to be installing this, um, has, has kind of created that debate where-

Gar O'Hara: [00:10:35] Yeah, I, I agree.

Bill Tanner: [00:10:35] ... what you access in from the corporate enterprise, um, is absolutely your own personal choice. There's no one pushing you to do that. It's making your life more convenient. Um, and so you're making that hopefully prognosis decision as to what you're giving up when you I, install those applications. But with a government asking you to do that, yeah, that's where, uh, that potential trust deficit comes into play and you're, in the skepticism that's in the market.

Gar O'Hara: [00:11:02] Yeah, absolutely. And I think there was probably some missteps at the start where, uh, people were probably triggered by some of the language around, you know, mandatory installing of the app and some of those things, which obviously didn't turn out to be the case. But I, I, I do think there was probably more of a messaging problem than messaging and marketing problem than there was ever a technical or privacy, uh, issue.

Um, you know, one of the things that I, I think is fair to say, but you can definitely correct me if I'm wrong with like the, the reverse engineering of the, the code and the applications is there. And there's some really good analysis as you say. Um, Jeff, uh, Jeff Hensley and, and Jim [inaudible 00:11:40] also has a fairly detailed breakdown on his kind of, um, investigations on the app.

Um, one of the things I think that maybe, uh, or still hasn't been gotten right, is the feedback of experts and developers in the security community, into the, the governments in terms of, you know, call it open source developments, but bug hunting, you know, a lot of the things that have been considered best practice for, um, applications and, and platforms these days. Many companies are doing paid book hunting because they know it's a, it's a really good way to figure out if there's, if there's holes-

Bill Tanner: [00:12:15] Yeah.

Gar O'Hara: [00:12:16] ... and gaps and it feels like I'd be very keen to get your thoughts on, you know, how the, the government has a- approached that side of things, where the, you know, the code is, it's, it's published, but the, and GitHub is locked. There's no ability to kind of provide feedback or responses. Like what are your thoughts on, on maybe you know how that's been approached?

Bill Tanner: [00:12:35] Yeah, th- that, that's a really interesting one. Um, I, I think, uh, I, I generally have a pretty positive outlook, uh, on, on some of these things and, and try and provide a little bit of, uh, trust [inaudible 00:12:48] in, in the way people are approaching things. Um, so the fact that those programs don't yet exist, uh, I would hope will, will, will change over time. And, and maybe it's the nature of people moving very quickly and government organizations like some large corporates are quite slow moving entities.

Um, so the fact that they're jumping on these things quite quickly, I'm hoping they'll fix those problems. So yes, it, it is good to have those kind of bug bounty, um, and feedback loops, um, available. Right now the, the key way that, um, citizen developers, um, are able to provide feedback is through is a, is generally the support channel. Um, that hasn't, I- is a challenging mechanism.

You, you, you typically go through layers of, um, first level support people before you can get to an engineer if you get to one at all. So if, if they can open that up, I, I would absolutely, that would actually great, be a great thing to see. Um, since they've now open source, the actual source code, I think it's making it easier for people and the research group that's, um, formed around this, in, in the public to, to be able to come through, um, the application itself and, and they're actually creating their own issue tracking system and making that public too, to kind of help make sure that there is transparency in what they're doing.

Um, o- obviously what they're doing is, is of their own views, but they're, but the fact that they're making a transparency, everything can be challenged and, and discussed openly. So, um, the, the progress that's happening there, it's good. Um, it's actually quite interesting that, uh, while there was one update, um, a few days ago, and it was really a- an updated user experience and some messaging on the phone, um, there was actually a release about 15 minutes ago of the, the application, which until now there wasn't some wasn't movement on bug fixes in the app. Um, there's some hope that this application is, or has, has fixed some of those, those kind of issues that have been raised previously with, with those bugs. So, um, the research team is actually validating that new release right now.

Gar O'Hara: [00:14:57] Yeah, that's good. That's great to hear. And, and that's on the episode. I mean, one of the other concerns that has been raised is around the server side and, and I don't think the code for the server side has been released yet. So there's a little bit of kind of faith and trust that goes into the depart where, and my, my take is that everything has been done correctly, um, or as good as could be expected, given the, this very short timeframes that were involved to-

Bill Tanner: [00:15:20] Yeah.

Gar O'Hara: [00:15:21] ... get a solid app. And that, you know, had pretty decent privacy considerations built in, you're spot on there's some stuff that like any other organization or, or any other app would, you know, will have little bugs that need to be fixed along the way. But I think even, um, yeah, guys like Jeff [inaudible 00:15:37] when he was kind of doing his breakdown, said, "Yes, this stuff, there are issues," but you know, his exact words were, "Don't panic. Users are advised to be aware of these issues, but in most cases-

Bill Tanner: [00:15:46] Yep.

Gar O'Hara: [00:15:46] ... might reasonably conclude that they're not significant enough to warrant not using the app. The server side though is still, as far as I'm aware, a little bit of a black hole in terms of what happens to that data when it goes there. And, and again, to your comments earlier, there's two sides to this, there's the technology side. Um, and that will only really be understood once there's, um, a white paper produced on, you know, in terms of the encryption approaches and some maybe de-identifying algorithms that have been used potentially. Um, and then just the legal side. And what are your thoughts on the, the bill that's covering the privacy of the app?

Bill Tanner: [00:16:23] Yeah, so th- th- that, one's a hard one for me. And to be very frank, I couldn't do that question too much justice, and I, I really wanna leave that to our legal, um, experts. So Allens, um, has been covering all manner of impacts of COVID-19 for our clients via our website, um, and putting public our, our inside articles, um, as to what, um, advice we can provide from, from that context.

Um, in that, with what I think is quite a good write up in the draft bill that, that was put forward, um, and our tagline on that article, I, I think sums it up quite nicely. Uh, and it's similar to, to Jim's comment on, um, the technical part of the app is, the COVIDSafe bill is good progress, but there's more to do. Um, and I think that's like what we were saying, there's going to be bugs. There's going to be things that need to be fixed.

Um, as long as there's an ongoing dialogue to that, um, I think we'll, um, get to it to a good place. So, yep, it is good progress. Yes. There's more to do. Um, and I would, I would recommend any listener here, head over to, to our, our website and look up that COVIDSafe bill, um, to, to really go through it and we, we, are right at the top. There's some key takeaways from, from that bill and it's quite easy to digest.

Gar O'Hara: [00:17:40] Yeah, absolutely. We'll actually include the links to both, uh, of the articles that, uh, Allens have produced. They're, they're both excellent. I've read through them. Um, definitely the one in the bill is, for me, and it was incredibly useful, um, you know, as non-legal person to, to be able to kind of get at least a, a surface understanding of what's going on and what it all means. So, um, we'll include those as part of the show notes for, uh, for today's episode.

Um, so, you know, in terms of the legal, you know, that that's one for the lawyers, for sure. Um, in terms of the technology side of things and obviously there's some guessing here because we don't really know server side too much so far. But there's like, there's been plenty of examples where apparently de-identified data has been re identified and, and sometimes fairly trivially.

Um, there was the example with the, the Mikey data. Um, it's a few years ago, maybe last year even, where, um, the, the Mickey transport data was kind of produced, but it was fairly easy to kind of re identify data based on your public tweets and, and stuff like that. And it's the, the famous instance of the New York, uh, city cabs, GPS data being, um, produced and provided for people to do analysis.

And, you know, this stuff can be incredibly useful, right? We can understand, um, traffic patterns. There's a lot of very, very useful things from a societal level that can happen. Um, but in both cases, the data was, was kind of re identified in the case of the, the taxi GPS data. And one of the researchers was able to look at paparazzi shots and, you know, find out where, you know, people like Ryan Gosling were staying in, you know, what hotel, whether they'd left a tip or not.

Um, so, you know, in that case, it's kind of, it's sort of funny more than anything else, but it's a very good example of the potential of stuff that feels and seems safe right now to be re identified. If you g- got any thoughts on that or like, is proximity something that maybe-

Bill Tanner: [00:19:30] Yeah.

Gar O'Hara: [00:19:31] ... isn't that, that big a deal?

Bill Tanner: [00:19:33] Yeah. So, uh, starting with the, the service side, um, yes, we hope that they'll open source or, or as you said, credit or white paper on the way they're doing, um, encryption and the like. Um, the risk of, of that data, um, being used in a extensive way, um, I- I believe is low through to the fact that your data is only uploaded once you've given consent and will only be 21 days old. Currently, there's no guarantee they're going to delete that data that you do upload after 21 days.

They may need to do algorithms over time, too, and, and analysis over time to, to, um, figure out what, um, patterns or, um, may take them longer to do the analysis they need to do. Um, so I, I'm not sure what the position and whether it's been updated position on what that will, how long they'll sort that data service side. But the fact that you're giving consent, your data is only 21 days old and doesn't have any location information in it.

Um, it, it means that if something is re identified, uh, there's still a, a reasonably low risk on a, what could be determined based on that information. If you think about the data that you're providing as you register for the application, um, you, you're giving a name, which could be a pseudonym. So it's your choice as to what name you put in there. It's your mobile number and postcode. So, um, these types of data points, um, are about well in many other places. Um-

Gar O'Hara: [00:21:09] Yep.

Bill Tanner: [00:21:09] ... and as I said, don't, uh, don't necessarily personally identify you, especially if you choose to put a pseudonym in that name. So that risk is low. I think that other providers like Google and Apple that track your, your data through maps and other applications as you mentioned earlier, things like Twitter and other social media applications, um, geolocation on photos, all of these data points will, will provide a much richer data source, um, for the purposes of re identification.

Some of the bugs that have been talked about, um, with, uh, the Bluetooth signaling, um, do expose some risk a- as to what can be used to re identification. And some of them actually, uh, expose risks without the re identification, um, occurring. Uh, right now I think there's one bug which I'm really going to watch very closely with this, with this current update, that it has a potential to publish your phone name.

So my phone name prior to this was, um, Bill's iPhone. Uh, I think many, many people's phones have their name in their phone device name itself. Well, the app doesn't store device name, the Bluetooth transmission has the potential to transfer that information. Um, so the there's theories around whether or not, um, hackers could create their own listening application to store that information.

So I, the real identification risk, I think is really quite low based on what's stored. Um, and the fact that you've chosen, uh, to upload that information, um, and if they can get these, the bugs that have been identified fixed quickly, I think it will continue to shrink the, uh, privacy and, and personal risk, uh, exposure down more and more. So coming back to how quickly the government can turn around application updates and, uh, get feedback from the community. Uh, I think the, the, the faster that happens, uh, that the better it will be overall.

Gar O'Hara: [00:23:09] Yeah, absolutely. And it, it does seem to me, they, uh, some of the, the profiles of the companies, uh, that were involved with and, you know, I believe I had last seen was involved in the development and, you know, it's, they're, they're fairly experienced folks, um, with, you know, good developments has, is in place. So, you know, would, would understand, um, you know, agile kind of development and how to do this stuff fast.

So, yeah, couldn't definitely echo what you, what you've just said there around the kind of, um, yeah, expediting their, the bug fixes so that there is less and less of a concern around this. But I think the general feeling that I'm kind of getting at this point from, obviously from you, but from the industry in general is, is you know, [inaudible 00:23:47] must read his comments, like don't panic. Like there's some stuff here, but you know, the, the reasonable conclusion is that the benefits to Australia, to our society, uh, they, they're way significantly the, you know, the, the potential privacy issues or security issues that, uh, you know, exist so far.

And as you say, if they're, they're fixed, then we're, uh, in an even better place again. Um, y- you may or may not want to come into this, but any thoughts on, um, some of the, the stuff that's hit the news around the use of, uh, AWS versus like a local cloud storage provider and, you know, the, it's more of a politics thing, so completely understand if you don't want to get into it but-

Bill Tanner: [00:24:27] Yeah.

Gar O'Hara: [00:24:27] ... any, any thoughts.

Bill Tanner: [00:24:30] Um, I, yeah, I- I - I think supporting the local economy versus a big global is always gonna be a hotly debated topic. Um, choosing a big global, well respected, well architected platform for this kind of solution. Uh, I, I think is, uh, a reasonable decision be making. Um, yes, a- and it's been covered in the news. Yes. There are local providers that could provide a similar service. Um, but yeah, having the exposure, having how many developers worldwide that could contribute to that ecosystem, I know, you know, open manner just enables more and more, um, ability to react to changes, react to, um, improvements that are needed, um, and get that feedback, um, in a timely manner.

Um, so I, I- I- I- I can't hold it against the government for going, for going down that path. Um, I know when they were doing the census, there was a lot of people saying they should have used AWS and they should have used the scalable services. Um, and so y- you're always going to have both, both arguments that will come into play w- w- with when they occur and you're never going to make everyone happy. So for me, I think it's a reasonable decision to make.

Gar O'Hara: [00:25:54] Yep. No, definitely. And Bill, we've definitely run out of time, um, at this point, but I, I think we've kind of covered a lot of grant and, and definitely, uh, hopefully can speak for the audience's perspective and just want to thank you, um, for the, the time you've put in to kind of research it from Allens, uh, staff's perspective and then being able to kind of feed back to, uh, to us here on the Get Cyber Resilient podcast. So thanks so much for, uh, for taking the time and, um, yeah, have a good rest of your day.

Bill Tanner: [00:26:22] No problem. I might just, uh, throw one, one final, um, plug out. I know people are quite interested in this and, and there's been a lot of tweets and social media in all different directions on the, the, the issues and the public sentiment around this. Um, a new website has been created to try and bring all of that together. Um, I only just found out about it last night. I was doing some more research for this web, um, this podcast. And so it's called covidsafe.watch. Um, and still being under development. But, um, it's looking to help bring some of this stuff together and make it easier for the research to be followed. So it may be quite technical, but, um, it's something I'm gonna keep having a look at.

Gar O'Hara: [00:27:00] Excellent. We'll include that in the show notes also. And so a few things for, for folks to watch out for the, uh, the Allens' articles and strongly recommend reading those. They're both excellent. And then we'll include a link to the, uh, covidsafe.watch, uh, website as well. So thanks for that tip.

Bill Tanner: [00:27:16] No problem. And, uh, yeah, hope everyone got something out of this. And, um, thanks again for inviting me along here.

Gar O'Hara: [00:27:21] Thank you, Bill. Excellent recommendation from Bill on the covidsafe.watch website. We'll include that in the show notes, for sure. Thanks again to Bill for the research and for taking the time to talk to us, and thank you for listening to the Get Cyber Resilient podcast. As always, I look forward to catching you next time.