Australian governments and companies targeted by a sophisticated state-based actor

What’s happened?

The Australian Government is aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.

A range of tactics, techniques and procedures are being used to target multiple Australian networks. It’s important that Australian companies are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility.

What your IT managers can do

The ACSC has produced the a technical advice for Information Technology managers.

The advice includes the following mitigation strategies to help reduce the risk of compromise to your systems:

1. Prompt patching of internet-facing software, operating systems and devices

All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available. Organisations should ensure that security patches or mitigations are applied to internet-facing infrastructure within 48 hours. Additionally organisations, where possible, should use the latest versions of software and operating systems.

2. Use of multi-factor authentication across all remote access services

Multi-factor authentication should be applied to all internet-accessible remote access services, including:

  • web and cloud-based email
  • collaboration platforms
  • virtual private network connections
  • remote desktop services.

Article courtesy: www.staysmartonline.gov.au

Spying on users of Google’s Chrome shows new security weakness

A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions.

Alphabet Inc’s Google said it removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month.

“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesman Scott Westover told Reuters.

Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools.

Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date, according to Awake co-founder and chief scientist Gary Golomb.

Google declined to discuss how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite past promises to supervise offerings more closely.

It is unclear who was behind the effort to distribute the malware. Awake said the developers supplied fake contact information when they submitted the extensions to Google.

“Anything that gets you into somebody’s browser or email or other sensitive areas would be a target for national espionage as well as organized crime,” said former National Security Agency engineer Ben Johnson, who founded security companies Carbon Black and Obsidian Security.

The extensions were designed to avoid detection by antivirus companies or security software that evaluates the reputations of web domains, Golomb said.

If someone used the browser to surf the web on a home computer, it would connect to a series of websites and transmit information, the researchers found. Anyone using a corporate network, which would include security services, would not transmit the sensitive information or even reach the malicious versions of the websites.

“This shows how attackers can use extremely simple methods to hide, in this case, thousands of malicious domains,” Golomb said.

After this story’s publication, Awake released its research, including the list of domains and extensions.

All of the domains in question, more than 15,000 linked to each other in total, were purchased from a small registrar in Israel, Galcomm, known formally as CommuniGal Communication.

Awake said Galcomm should have known what was happening.

In an email exchange, Galcomm owner Moshe Fogel told Reuters that his company had done nothing wrong.

“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Fogel wrote. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”

Fogel said there was no record of the inquiries Golomb said he made in April and again in May to the company’s email address for reporting abusive behavior, and he asked for a list of suspect domains.

After publication, Fogel said the majority of those domain names were inactive and that he would continue to investigate the others.

The Internet Corp for Assigned Names and Numbers, which oversees registrars, said it had received few complaints about Galcomm over the years, and none about malware.

While deceptive extensions have been a problem for years, they are getting worse. They initially spewed unwanted advertisements, and now are more likely to install additional malicious programs or track where users are and what they are doing for government or commercial spies.

Malicious developers have been using Google’s Chrome Store as a conduit for a long time. After one in 10 submissions was deemed malicious, Google said in 2018 it would improve security, in part by increasing human review.

But in February, independent researcher Jamila Kaya and Cisco Systems’ Duo Security uncovered a similar Chrome campaign that stole data from about 1.7 million users. Google joined the investigation and found 500 fraudulent extensions.

“We do regular sweeps to find extensions using similar techniques, code and behaviors,” Google’s Westover said, in identical language to what Google gave out after Duo’s report.

Article courtesy: www.itnews.com.au

Google and Apple release technology to help with COVID-19 contact tracing

New technology that could help alert people who have been in close contact with someone who has COVID-19 is being tested to determine if it will work in Australia.

Google and Apple have devised a COVID-19 exposure notification system they hope health authorities globally will use to build contract tracing apps and improve existing platforms, like Australia’s COVIDSafe.

It has been offered to governments across the world and so far 22 countries have requested and received access to the technology, including Australia.

“The Digital Transformation Agency and the Department of Health have been working with Apple and Google to understand and test the Exposure Notification Framework since it was released to see how it can be applied in Australia,” a spokesman for Government Services minister Stuart Robert said.

“That testing is ongoing.”

How does it work?

Apple and Google said the application programming interface (API) was designed to improve local contact tracing efforts and not replace them.

The pair said the technology could address some of the technical difficulties that have plagued contact tracing apps, including Australia’s COVIDSafe.

The API, like COVIDSafe, uses Bluetooth to create a log of other devices that come into close range.

While the government said COVIDSafe worked reliably on launch, Digital Transformation Agency (DTA) chief executive Randall Brugeaud later admitted an iPhone could not always record all the people it came into close contact with due to Bluetooth issues.

“The quality of the Bluetooth connectivity for phones that have the app installed running in the foreground is very good [but] it progressively deteriorates,” he said.

“You get to a point where the phone is locked and the app is running in the background.”

Subsequent software updates to COVIDSafe may have improved these issues, but the DTA is yet to clarify how it has enhanced the performance on iPhones.

“We are continuing the enhancement of the Bluetooth operation of the app on iPhones and it is working as designed,” said Department of Health Chief Information Officer Daniel Keys.

Apple and Google believe that without their assistance, contact tracing apps that rely on Bluetooth may have technical challenges and drain phone batteries.

They also said iPhones and Android phones that have downloaded contact tracing apps cannot easily detect each other without the API.

The technical challenges outlined by the companies suggest the COVIDSafe app is not able to collect all the data it was set out to do.

“Apple and Google cooperated to build … technology that will enable apps created by public health agencies to work more accurately, reliably and effectively across both Android phones and iPhones,” a spokesperson for Apple and Google said.

How are the API and COVIDSafe app different?

The COVIDSafe app keeps an encrypted log of everyone who also has the app on their device if they come into close contact with each other, but users cannot access that list.

But Thinking Cybersecurity CEO Vanessa Teague said there is a key difference in how Google and Apple want the data to be shared.

“It’s crucially different in the amount of information that passes through the central authorities,” she said.

Under the COVIDSafe app, health authorities ask permission to access the information about who an infected person has been in contact with and then uses it to notify those people.

Ms Teague said the Apple/Google system would mean health authorities are removed from the process.

While the exact operating details are unclear, it seems that if a person tests positive they can choose to report the diagnosis, which would then send a notification to those who had been in close contact.

“You get a notification on your phone that says you have been in proximity with a person who has tested positive for COVID-19 so then you know, but at that point, the authorities don’t know that you have been potentially exposed,” she said.

Apple and Google would allow public health authorities to decide how to reach exposed individuals for further contact tracing — possibly by asking users to voluntarily share personal details, like a phone number.

But can we even use the API?

While the Department of Health examines whether the API can be used in conjunction with COVIDSafe, Apple and Google have made clear there are restrictions on its use that could complicate any moves by Australia to take up the system.

For example, while health authorities can ask users to share personal information such as a phone number to support contact tracing efforts, the companies’ spokespeople said the app cannot require it.

COVIDSafe currently asks the user to share a name, phone number, and postcode and age range before they can download the app.

Ms Teague said the API will likely fix technology problems associated with COVIDSafe such as Bluetooth connectivity, but the Government may not be inclined to give away the control it has to contact trace.

But she argued that if the Government adopted the API, more Australians could be inclined to sign up.

“That is the key democratic decision to be made,” she said.

“If we want a decentralised app, there will be less information available to a centralised government service.

“But maybe more people will use the app because they will be more willing to do so if that information isn’t being centralised.”

“Or, we could continue to insist on the centralised app knowing some people won’t use it because they don’t want that information shared about them.”

The Government will no doubt be looking to try and find a balance so that it can improve the technology of the app while being able to maintain control of contact tracing.

Health Minister Greg Hunt spoke with Apple’s vice-president for health, Dr Sumbul Desai, to discuss Australia’s health roadmap, which included screening tools and the COVIDSafe app.

Article Courtesy: www.abc.net.au/

Why COVIDSafe hasn’t helped, yet.

COVIDSafe was sold by the Government as essential to lifting coronavirus lockdown restrictions, but the app is yet to provide much assistance to local health authorities.

Since its launch on April 26, more than 6.2 million people have downloaded the app. But so far, no local health authorities have announced that COVIDSafe identified any otherwise unidentified contacts.

Authorities say that is because case numbers in Australia are so low.

“Australia is in a fortunate position with so few cases across the country, including returning travellers who would not have the app,” a Department of Health spokesperson said.

Data from the app has been accessed in around 30 coronavirus cases nationwide, during a period when around 565 new cases were diagnosed in Australia, including infections acquired overseas.

Nevertheless, health authorities continue to urge Australians to download it.

On the weekend, deputy chief medical officer Paul Kelly said COVIDSafe could prove useful for contact tracing if there was a spike in infections from recent Black Lives Matter protests, but only if people had the app on their smartphones.

One person who attended the protest in Melbourne on Saturday is among Victoria’s eight new coronavirus cases, however it’s not yet known if that person had the app.

“The COVIDSafe app would be absolutely critical and crucial in this type of setting. It’s exactly what it is designed to do, is to pick up cases when you don’t know the people around you,” Dr Kelly said.

“We’ve had a very good uptake of the COVIDSafe app, but the majority of people that have mobile phones have not downloaded the app so far.”

Contacts identified via manual contact tracing

In Victoria, the contact tracing app is yet to identify any close contacts of people diagnosed with COVID-19 that were not also identified via the traditional and painstaking manual contact tracing process.

That’s despite the state finding 21 coronavirus cases that had the app and allowed health authorities to access COVIDSafe data.

In May, Victoria announced that one potential exposure had been picked up by the app that manual contact tracers did not locate, but further investigation later found the interaction did not meet the close contact criteria.

“With only a small number of cases being reported each day in Victoria, there have been few opportunities to use the app so far — and we hope this continues,” a spokesperson for the Victorian Department of Health and Human Services said.

In New South Wales, low levels of community transmission have also provided few opportunities to use COVIDSafe.

A spokesperson for NSW Health said the state’s new cases over the past 15 days were predominantly people in hotel quarantine.

So far, data from COVIDSafe has been accessed fewer than 10 times in the state. It’s unclear whether close contacts were identified in those instances.

In Queensland, there have been no COVID-19 positive individuals identified as COVIDSafe users.

And in Tasmania, the Northern Territory, the ACT, Western Australia and South Australia, where there are few or no new coronavirus cases, local health departments told the ABC they have had no opportunity to use the app.

Data from COVIDSafe, which uses Bluetooth to transmit and record IDs from smartphones with the app that are within range, is uploaded with consent to a central database when someone is diagnosed with COVID-19.

It is then analysed to identify close contacts — considered to be those within approximately 1.5 metres, for a period of 15 minutes or more.

Measuring the success of COVIDSafe

It’s premature to judge the success of a public health intervention like COVIDSafe, according to Seth Lazar, who leads the Humanising Machine Intelligence project at the Australian National University.

“There’s just not enough cases and not enough time,” he said.

“For any measure you want to look at, you want to have enough cases and enough data.”

But it’s unclear how the contribution of COVIDSafe to Australia’s contact tracing regime will ultimately be measured, and there are few public benchmarks.

While more than 6 million Australians have downloaded it, this is still short of the 40 per cent of the population target first discussed as part of the Government’s plans to ease lockdown restrictions.

That goal has since fallen by the wayside. Acting Secretary for Health Caroline Edwards told a Senate committee investigating the COVID-19 pandemic response in May that there was no download target at all.

And while Australia’s low rate of community transmission provides few opportunities for use, the technical reliability of the app to transmit and collect data is still hotly debated.

Dr Lazar said contact tracing apps like COVIDSafe may provide the most benefit during a second wave of coronavirus infection, and that mass gatherings like the recent protests might provide a test for the app’s efficacy.

“It’s a scenario where you’re going to get anonymous close contacts, but it’s also a scenario where you may want a more privacy preserving approach,” he said.

The Digital Transformation Agency, which developed COVIDSafe, has released a number of updates to the app, including most recently the ability to download the app from non-Australian app stores — an important step, given the restriction risked preventing travellers, migrant workers and others from accessing the technology.

“The Australian community can have confidence the app is working securely and effectively, despite the lack of community transmission of COVID-19,” a DTA spokesperson said.

Article courtesy: www.abc.net.au

Unfixable Thunderbolt flaws bypass computer access security

A Dutch masters student has found vulnerabilities in the Thunderbolt input/output port hardware design that lets attackers fully bypass computer access security measures such as Secure Boot, login passwords and full-disk encryption.

Physical access to computers are required however, to perform the attack that MSc student Björn Ruytenberg named Thunderspy.

The attack takes about five minutes, and leaves no traces otherwise.

Designed by Intel and Apple, and included in millions of Windows, Linux and Mac computers since 2011, Thunderbolt is a high-speed peripheral interconnect system that can daisy-chain up to six devices.

To achieve the high bandwidth of up to 40 gigabit per second, Thunderbolt devices use direct memory access (DMA) which researchers last year showed could be abused to fully take over computers.

Ruytenberg’s Thunderspy is a collection of seven vulnerabilities that break Intel’s Security Levels architecture for Thunderbolt versions 1, 2 and 3, which is allows users to authorise trusted devices only.

On Macs, running Windows or Linux within Apple’s Boot Camp emulator disables all Thunderbolt security, making attacks trivial to perform.

By exploiting the vulnerabilties, Ruytenberg created nine practical exploits.

These allowed him to create arbitrary Thunderbolt devices, and to clone already user-authorised ones and to obtain PCIe bus connectiivty to perform DMA attacks.

It is also possible to permanently disable Thunderbolt security and block all firmware updates, Ruytenberg found.

Plugging in malicious Thunderbolt cables, USB-C to DisplayPort or HDMI video output dongles or external hard drives could let attackers break into the vast majority of recent laptops and desktops, if they have physical access to the devices.

Apple and Intel have been notified of the vulnerabilties, which appear to be unfixable as they are likely to require a hardware redesign.

To mitigate against the Thunderspy vulnerabilties, Ruytenberg suggests to implement physical security if it isn’t feasible to disable the Thunderbolt controller entirely.

This includes only connecting your own Thunderbolt peripherals, and not lending them to anybody or leaving them unattended.

Users should not leave their systems powered on even with the screen lock enabled.

Suspend to disk hibernation or completely powering off systems instead of using suspend to memory sleep mode is also recommended for additional protection against Thunderspy exploitation.

Intel implemented kernel DMA protection last year which partially mitigates against Thunderspy.

The protective measure could reduce performance however, and in some cases causes compatibility issues with Thunderbolt devices that stop working, if their drivers don’t support DMA remapping.

Whether or not the most recent version 4 of Thunderbolt, introduced by Intel this year, is vulnerable is unknown at the moment.

USB 4 that was introduced last year supports Thunderbolt-based signalling, and Ruytenberg advised users to exercise caution until hardware designed with the new peripheral interconnect protocols has been tested to ensure the current vulnerabilities are addressed.

There could be further Thunderbolt vulnerabilties arriving, as Ruytenberg is continuing his Thunderspy research with a second part.

Ruytenberg has released the Spycheck free open source tool for Windows 7, 8.x and 10, and Linux kernel 3.6 and later, to help users find out if their systems are vulnerable.

Article courtesy: www.itnews.com.au

COVIDSafe privacy protections now locked in law

The privacy protections behind Australia’s COVIDSafe contact tracing app are now enshrined in law after the underpinning legislation passed through parliament with minor improvements.

The Privacy Amendment (Public Health Contact Information) Bill cleared the senate without amendments on Thursday morning, two days after it was introduced by the government.

The legislation seeks to allay privacy concerns within the community, replacing an interim determination issued under the Biosecurity Act when COVIDSafe was launched last month.

It introduces strict penalties of up to five years jail for those that collect, use, disclose (include outside of Australia) or decrypt COVIDSafe data for any purpose other than contact tracing.

The legislation also makes it illegal to force someone to use COVIDSafe and outlines the data handling requirements expected of the health department and Digital Transformation Agency.

Since the draft legislation was released last week, Labor has secured several amendments to improve the laws after constructive engagement with attorney-general Christian Porter.

“This is now a stronger and better piece of legislation as a result of constructive engagement between Labor and the government,” shadow attorney-general Mark Dreyfus said on Tuesday.

Improvements include “greater clarity about what data is protected”, restrictions on law enforcement becoming the COVIDSafe data store administrator and six-monthly public reporting requirements about COVIDSafe’s operation.

The bill also gives the Office of the Australian Information Commissioner “greater oversight” of the app and the data it collects, and ensures the office can investigate privacy breaches even when they overlap with an law enforcement investigation.

“To be clear: this bill will introduce the strongest privacy safeguards that have ever been put in place by any Australian parliament,” Dreyfus told the house of representatives on Tuesday.

“That is despite the fact that the COVIDSafe app is voluntary and the data that it collects is, compared to other personal information that’s routinely collected by governments and corporations, relatively innocuous. This bill takes privacy seriously.”

But serious questions over the app’s effectiveness remain, which Labor, the Australian Greens and Centre Alliance have argued cannot be addressed by legislation alone.

These include technical issues with COVIDSafe’s Bluetooth performance on iOS, which the DTA has admitted could limit the app’s effectiveness capturing ‘digital handshakes’ with other devices.

The DTA’s decision to hand Amazon Web Services the contract for the COVIDSafe app and national data store using a limited tender process has also been questioned.

Labor has insisted that Australian-owned providers offering protected-level cloud services like Sliced Tech, Macquarie Telecom and Vault should have been given the opportunity to bid for the contract.

DTA CEO Randall Brugeud last week gave some reasoning for the selection, with the contract covering hosting, development and operational of the COVIDSafe app and national data store.

This line was reiterated by foreign affairs minister Marise Payne on Wednesday, who said “the contract with AWS is a combination of hosting, development and operational services, which is more extensive than services provided by pure hosting providers”.

“While there are several Australian cloud providers that could have provided elements of the service that AWS has provided, AWS’s ability to scale very quickly in this pandemic context and to provide a broader range of services is beneficial for the purposes to which the COVIDSafe app is to be put.

“In relation to the CLOUD Act, any transfer of data to any country outside Australia will constitute a criminal offence under the provisions of the bill and attract a penalty of five years imprisonment.”

After a short debate on Thursday morning, the bill was passed after Labor opposed any further amendments to the legislation, including the introduction of a strict sunset clause.

“Labor believes that there is a strong public interest in putting these privacy protections in place as soon as possible, and so Labor will not be supporting any amendments that delay the passage of this bill,” Labor senator Murray Watt said.

More than 5.6 million Australians have now downloaded and registered for COVIDSafe since it was released two-and-a-half weeks ago.

Deputy chief medical officer Paul Kelly on Wednesday said that the portal allowing state and territory health officials to access data collected by the app was now up and running.

He said all agreements with states and territories had now been signed and that health professionals involved in the contract tracing process trained to use the portal.

The DTA released the source code for COVIDSafe app late last week, but will not be releasing the code that relates to the national data store.

Article courtesy:  www.itnews.com.au

Scammers would no longer be able to spoof tax office numbers

The Government claims to have “comprehensively disrupted” scammers pretending to be from the Australian Taxation Office through a technology trial run in collaboration with telcos.

Communications Minister Paul Fletcher said the ATO received over 107,000 reports from the community of impersonation scams in 2019 alone.

The scam calls appeared to come from legitimate – and widely publicised – phone numbers normally used by Australians wanting to call the tax office.

The scammers used software “to mislead the caller line identification CLI technology … of most mobile phones and modern fixed line phones,” the Government said.

“Rather than transmitting the actual phone number the call is coming from – frequently an overseas number – instead they ‘overstamp’ it with another phone number.”

At the Government’s request, Australia’s telcos joined together with the ATO and Australian Communications and Media Authority (ACMA) on a three-month trial of technology to block these scam calls appearing to originate from legitimate ATO phone numbers,” Fletcher said.

“Our Government was determined to act to stop these scammers preying on Australians and using a spoofed ATO number as part of their scam.”

The exact technology used in the trial was not disclosed, but in general terms, Fletcher said that “the participating telcos used software to identify calls which had been overstamped with the specified ATO phone numbers – and blocked them.”

Though he said the trial “has been highly successful”, Fletcher cautioned that it would not stop scammers from “randomly ringing Australians pretending to be from the ATO.”

“[But] it will stop specific ATO numbers appearing in the CLI display on the recipient’s phone, thus making the scam seem much less convincing,” Fletcher said.

The Government urged Australians that received a suspicious call to “hang up and ring the organisation directly by finding them through a trusted source, such as a past bill or online search.”

“If you are not sure that an ATO interaction is genuine, don’t reply to it and phone 1800 008 540,” it said.

The action falls under the Government’s broader Scam Technology Project, which is attempting to act on scam calls on Australian telecommunications networks.

As part of the project, the Communications Alliance is developing an industry code that “will mandate steps the telcos must take to identify, trace and block scam calls, and create an information-sharing framework for telcos to work with regulators against phone scams,” the Government added.

Article courtesy: https://www.itnews.com.au/

Cybercriminals are scamming by impersonating Australia Post again!

What’s happened?

Previously, we had seen cybercriminals were scamming through text messages by impersonating Australia Post.

This time the scammers are using emails which falsely claim a package hasn’t been delivered. Due to its weight exceeding the limit – and it includes a link to click on to ‘Pay fee’ or seek ‘Further information.’

These links lead to a fake Australia Post website requesting personal and financial information.

Here are some examples of what to look out for:

How do I stay safe?

Note that Australia Post will also never email or text message you asking for personal information, financial information or payment.

  • If you receive one of these messages, delete it and don’t respond.
  • If you are ever unsure of the legitimacy of a message, contact the business it claims to be from separately to check if they are likely to have sent the message. Use contact details you find through a legitimate source, like the business’s official website, and not those contained in the suspicious message.
  • If you’ve sent personal or financial information to a scam email address or entered it. Into a scam website and you’re worried your identity may have been stolen, you can contact ID CARE, Australia’s free national identity and cyber support service, on 1300 432 273. ID CARE also has an ID CARE factsheet for customers impacted by Australia Post SMS scams.

We encourage you to share this information with your family, friends and colleagues.

Article courtesy: www.staysmartonline.gov.au

Continued widespread reports of COVID-19 malicious scams

What’s happened?

We previously warned you all about the Covid-19 themed scams and since then the cybercriminals have not stopped. Preferably, a significant increase in reports. Followed by the ACCC.

On average each month, the ACSC receives about 4,400 cybercrime reports through ReportCyber and responds to 168 cybersecurity incidents.

Since 10 March, the ACSC has:

  • Received more than 95 cybercrime reports (approximately two per day) about Australians losing money. Personal information to COVID-19 themed scams and online frauds,
  • Responded to 20 cybersecurity incidents affecting COVID-19 response services and/or major national suppliers in the current climate, and
  • Disrupted over 150 malicious COVID-19 themed websites, with assistance from Australia’s major telecommunications providers, as well as Google and Microsoft.

1,100 reports received by ACCC. Scamwatch about COVID-19 themed scams from individuals and businesses losing money or personal information to online frauds across Australia.

These scam campaigns are often complex, with cyber criminals working. On their possible scam within days – sometimes even within hours – of government announcements such as relief payments or public health guidance.

Visiting these fake websites or clicking on malicious links may also automatically install computer viruses or malware onto your device, giving cybercriminals the ability to steal your financial and personal information.

These scams have continued to increase over the past month and the ACSC strongly encourages organisations and individuals to remain alert and follow advice on how to protect yourself and your business.

If you’re concerned your personal details have been compromised, you can reach us at 1300 660 368 and one of our team members can help you in staying safe from the phishing attacks.

Article courtesy: www.staysmartonline.gov.au

Will the Government’s coronavirus app COVIDSafe keep your data secure?

The Government’s contact-tracing app COVIDSafe aims to help track down people. Who may have been shown to COVID-19?

But like any smartphone app, it raises privacy and security questions. Especially because data the platform collects.

Downloading the app is voluntary. But the Government has previously said. 40 per cent of Australians — or 10 million people — need to take up the contact-tracing app. For it to be a success (although they have not shared the modelling behind this number).

The Government hasn’t yet released the app’s source code and new legislation governing its use has yet to be shared. But that hasn’t stopped researchers from digging into both the technical and legal implications of this unprecedented bit of software.

We’re sure to find out more in the coming days. But let’s take a look at what we know about the app for now, and where any issues may arise.

What data does the COVIDSafe app share and collect?

First things first: COVIDSafe does not collect your location.

When you sign up for the app. You will enter your name (it can be a pseudonym), age range, postcode and phone number.

This creates an encrypted code. Which is then shared over Bluetooth with other COVIDSafe apps. You come into close contact with.

These IDs are encrypted and stored on the app for 21 days.

The app will also make a record of the date and time that digital “handshake” occurred. Its duration and the proximity of contacts.

“My personal view is that the data is being captured. It is suitably anonymised, suitably protected and access to it is reasonably restricted,”. Said Paul Haskell-Dowland, associate dean for Computing and Security at Edith Cowan University.

“The opportunity for misuse is incredibly small.”

But it’s also sharing your phone make and model?

Software engineer Robert Merkel has taken a look at the app. (You can dig into some more analysis by Dr Merkel and colleagues here.)

In the Bluetooth messages that are sent to other phones. He found COVIDSafe also shares the phone’s make and model.

This information about phone model appears to be sent unencrypted over Bluetooth. Which means it could be intercepted and create a certain level of privacy risk. If someone was determined to track you (He said, this is not a huge risk).

“The protocol transfers your phone make and model ‘in the clear’ to everyone,” he said. “It doesn’t have to be the official COVIDSafe app to receive it.”

Singapore’s app TraceTogether also collected this data, and unlike in Australia, it explained why in its terms of service.

“In order to measure distance, information about the phone models and signal strength recorded. It is also shared. Since different phone models transmit at different power,” it said.

A spokesperson for Government Services Minister Stuart Robert did not comment on Dr Merkel’s analysis. But said “the exchange of the encrypted user ID uses a standard Bluetooth exchange”.

“The Government has been quite clear around the level of work. That has gone into ensuring security for the app and information stored.”

Is it safe to have Bluetooth on all the time?

Nothing digital is 100 per cent secure, and neither is Bluetooth.

This technology opens a channel for two devices to communicate — your phone and a wireless headset. Now, two phones with the COVIDSafe app.

But this communication can also allow vulnerabilities to creep in.

Often these issues are fixed in software updates. So, before using COVIDSafe and turning on Bluetooth. Dr Merkel advised people to make sure their phones are using the latest operating system.

In general, the likelihood of Bluetooth attacks being used against random individuals is low. He suggested, but everyone who downloads the app will have to decide that risk for themselves.

Who can see my data if I’m diagnosed with COVID-19?

If you’re diagnosed with COVID-19. Health officials may ask you to upload 21 days’ worth of the anonymised IDs. Your app has stored for contact tracing to a central server.

The people you’ve been in close contact with won’t be told your name. But health officials may then call your close contacts and advise them to isolate or get tested.

On Sunday, Health Minister Greg Hunt shared a determination under the Biosecurity Act. To protect people’s privacy and restrict access to app information. To state or territory health authorities only for the purpose of contact tracing.

But legal experts said that should be a stopgap only. As a “determination” can be amended or repealed at any time.

“Legislation would be better than a non-disallowable instrument. But it is better than no law at all,” said Graham Greenleaf. Professor of law and information systems at the University of New South Wales.

“Legislation should be enacted by Parliament as soon as possible.”

The determination also bars law enforcement or other federal agencies from being able to access the app’s information, but some questions remain about the strength of this prohibition.

Chief Medical Officer Brendan Murphy said on Monday that the Federal Government had no access to any of the data.

“We have locked this down so completely, so thoroughly with the biosecurity bill and legislation that is coming,” he said.

“This app will only ever be used by public health officials [for] the purposes of contact tracing.”

In a statement, however, Law Council of Australia president Pauline Wright warned there was some potential legal ambiguity around whether laws authorising the law enforcement and intelligence warrants “could override” the determination’s prohibition on access.

“The determination under the Biosecurity Act 2015 applies despite any other law,” Mr Robert’s spokesperson said.

Minister Hunt has indicated legislation concerning. COVID 19 Safe introduced in May. When Parliament resumes.

Who makes sure the app is used properly?

The Government has encouraged all Australians to download COVID 19 Safe. But according to the Law Council of Australia. The determination “makes no provision for oversight and reporting on its use”.

There is no clear oversight of COVID 19 Safe, agreed Kimberlee Weatherall, technology law professor at the University of Sydney.

“There is no oversight and no reporting built in,” she said.

“So no mechanism by which we can see how it is used, or get reports on whether it is effective.”

However, an individual with a complaint about their privacy could potentially go to the Office of the Australian Information Commissioner.

When will the app be switched off?

While you can delete the app at any time, it’s unclear when it will be officially switched off.

The Government says users will be prompted to delete the app from their phone. At the end of the Australian pandemic”.

The data held on the central storage database. It will also be destroyed then. But it’s unclear whether this will be mandated by the May legislation.

If you’ve had data uploaded from the app to the central server, you can also request that be deleted here.

Will my data be kept in Australia?

Last week, the ABC reported that data from the contact tracing app would be stored by the American technology giant. Amazon Web Services.

Mr Hunt’s determination through the Biosecurity Act prohibits transferring data to any country other than Australia.

Article courtesy: ABC News (www.abc.net.au)