/How Terra canum Pte Ltd and Cyberstorm.mu discovered a security problem in Contact Tracing (OpenTrace)

How Terra canum Pte Ltd and Cyberstorm.mu discovered a security problem in Contact Tracing (OpenTrace)

Prelude

As many of you are aware, cyberstorm.mu members have been busy working on Coronamapp, the original application meant to help to minimize in-person interactions between Doctors and Patients. While we faced resistance to releasing it in Mauritius, the government of reunion Island welcomed us by providing us with access to doctors and reduced the paperwork to be done. We completed the work professionally and got valuable feedback on how to improve our application. Unfortunately, we still lacked contact tracing.

Introduction

During the last IETF, I was in Singapore where one of my good friends, Harrison Grundy, is currently based. Harrison Grundy is a FreeBSD contributor with a strong technical background who has worked in Oil and Gas companies and financial institutions throughout the world. You use FreeBSD every time you turn on Netflix at home. FreeBSD is used to send the movies to you. We spent the IETF week hanging out around Singapore. After I got back to Mauritius, I heard the news of the now infamous “Coronavirus”. I didn’t pay particular attention at first as I thought that it would die out on its own.

Start of the epidemic in Mauritius

Fast forward to March when the first cases were announced in the media. Our team immediately implemented the CoronaMapp application to help patients report their symptoms to doctors. We have been happy to see successful results in Reunion Island. However, since we lacked the contact tracing bits, I reached out to Harrison. Thankfully, he responded positively and we began working on options, figuring out how to adapt what other countries were doing to the problems in Mauritius. As soon as Singapore released OpenTrace to the world, we worked together to bring in our enhancements and do a security audit.

 

Why a security Audit ?

Many Organizations in Mauritius and elsewhere have jumped on the code released by The government of Singapore. We have different concerns in mind. Our concern was that since there was intense pressure to develop Contact tracing, there could be security problems. And we hit right on target.

 

Privacy & Security issue.

After auditing the spec and the code, we discovered a case where some of the data being encrypted could be tampered which reduces the security of the Application and impacts the privacy of people using the application. Harrison Grundy contacted MITRE which started the process to assign a CVE which is a security code for a particular security flaw. We are working closely with the government of Singapore to ensure that the proper security patch is accepted. However, due to the sensitive nature of the Contact Tracing, we cannot publish the full details as of now. It would require coordination to contact all of the companies/governments who have taken the code and shipped with it, including the security flaws. The security audit is not over !

//Loganaden Velvindron

(On behalf of cyberstorm.mu team)