TL;DR: Don’t stop using the app. It’s not unsafe enough to warrant jettisoning entirely, and the pandemic is a much, much higher concern.
Safer Illinois is, according to their website, the official COVID-19 app for the University of Illinois in Champaign County. Safer Illinois was developed by a platform called Rokwire, which is made by a company called Rokmetro, which also publishes a Safer Community app.
Unlike the apps I discussed last year, Safer Illinois and Safer Community aren’t fake contact tracing apps. They’re the real deal.
To make life simpler, I’m going to focus my investigation on Safer Illinois, since that project is open source on Github. I suspect the same findings will affect Rokmetro’s Safer Community app too.
How Safe is Safer Illinois, According to Rokwire?
Safer Illinois claims to have been reviewed by:
Safer Illinois FAQs Webpage
- Technology Services (NIST 171 review, May 2020)
- Task Force on the Security of the COVID-19 Code in Safer Illinois (Electrical and Computer Engineering (ECE); Computer Science (CS); iSchool; NCSA; Information Trust Initiative (ITI) –
- Masooda Bashir (iSchool), Nikita Borisov (ECE), Chieh-Li Chin (administrative support), Jana Diesner (iSchool/NCSA/ITI, Chair), Karrie Karahalios (CS), Robin Kravets (CS), Kirill Levchenko (ECE), Madhusudan Parthasarathy (CS)
- Security Analysis of Rokwire Exposure Notification and Health Status Card – Andrew Miller (ECE) and CoTracer Team (ECE)
- Rokwire Data Privacy Advisory Committee – Faye Jones (Law, Chair), Anita Balgopal, (Office for the Protection of Research Subjects), Meghan Hazen (Registrar, FERPA Steward), Masooda Bashir (iSchool), Lisa Hinchliffe (iSchool/Library), Dave Grogan (University Compliance), Andrea Schneider (University Counsel ex-officio), Joe Barnes (Chief Privacy and Security Officer ex-officio), William Sullivan (Smart Healthy Communities Initiative ex-officio), Mike Bohlman (Senate IT subcommittee ex-officio)
- Office of University Counsel
- Office of the Vice Chancellor for Research & Innovation
- Information Technology Accessibility Initiative
- Siebel Center for Design – Rachel Switzky (SCD, Director), Vidya Haran (Business Administration), Karla Sanabria Véaz (Linguistics), Simrun Sethi (Art & Design), Nick Puddicombe (SCD), Nancy Qu (SCD)
The Safer Illinois Privacy FAQs page goes on to state:
The Safer Illinois App has been built from the first day with privacy as a foundation. We take three specific actions that promote privacy in the Safer Illinois App:
Safer Illinois FAQs Webpage
- Privacy by Design. Everything we build has privacy, consent, and choice designed in from the beginning.
- Audit. We are engaging in an NIST SP 800-171 security audit of the App. We plan an additional audit during the 2020-2021 academic year that will compare our privacy goals and public statements to the functioning of the code.
- Share and Engage. We share the results of these audits with the campus and will state publicly how we intend to respond to any issues identified in the audits.
Under the “What are my data security and privacy protections when using the Safer Illinois app?” question in their FAQ page, they include this handy infographic that I’ve taken the liberty of modifying for my blog’s theme.
The web page continues:
The University uses industry best practices in data security to minimize risks to user personal data through data loss, misuse, unauthorized access and unauthorized disclosure and alteration.
In short, the Safer Illinois website wants to sell you on the notion that this app has been independently reviewed by a lot of experts, was built with privacy and security in mind, and is undergoing an expensive NIST SP 800-171 audit.
Data Encryption in Safer Illinois
From a quick qrep of the source code, we can see that data in Safer Illinois is either encrypted client-side with:
- AES in ECB mode (source)
- You’d think the ECB penguin would be common knowledge by now
- AES in Counter mode (source)
- Whatever Flutter Provides (see below)
- Not at all (plaintext)
Not only do ECB and CTR mode fail to provide any measure of IND-CCA2 security (see also: The Cryptographic Doom Principle), their use is unlikely to pass a realistic security audit.
It’s tempting to blame Safer Illinois entirely for this, but the problems were inherited from the GAEN protocol used by Safer Illinois–for which successful attacks were published in October 2020.
Contact-Tracing Protocol Vulnerabilities (CVE-2020-24722)
There are several issues specific to the GAEN protocol that can be used to inflate a victim’s risk score or fingerprint devices (which is a successful deanonymization attack). You can read all about these attacks on Full Disclosure.
GAEN isn’t the only game in town. The TCN Protocol uses Ed25519 and a ratcheting protocol. At one point, the UK’s NCSC had specified AES-GCM for their contact-tracing proposal (although my friend in Scotland informs me they dropped it in favor of GAEN–likely due to compatibility and standardization).
In my opinion: Standards be damned, friends don’t let friends write broken crypto.
Diving Deeper, Hearts a-Flutter
Speaking of broken cryptography, Safer Illinois builds upon a framework called Flutter, which uses:
- Unauthenticated AES-CBC mode
- Hello, Vaudenay’s 2002 CBC padding oracle attack!
- with NULL Initialization vectors, too.
- RSA encryption with PKCS#1 v1.5 padding
- And some weird scheme involving a hard-coded key.
Via dex2jar and Luyten:
final SharedPreferences sharedPreferences = edit.getSharedPreferences("FlutterSecureKeyStorage", 0);
edit = (Context)sharedPreferences.edit();
final String string = sharedPreferences.getString("VGhpcyBpcyB0aGUga2V5IGZvciBhIHNlY3VyZSBzdG9yYWdlIEFFUyBLZXkK", (String)null);
Full disclosure: I stopped looking into the hard-coded key around the time I typed this string into Google and discovered several results from other projects. This is weird. Weird and stupid.
Naturally, Safer Illinois uses these broken algorithms to encrypt health information.
Safer Illinois also verbosely logs everything–including keys–in plaintext.
Safer Illinois is Data Hungry
That’s a lot of cryptography nerd talk. How about some lower hanging fruit?
Pop quiz! What does an app that collects information about your COVID-19 status (and performs Bluetooth-based contact tracing if someone tests positive) need with the following information?
- Home address
- Nationality
- Race
- Religion
- Marital Status
- Residential Status
- Employer
- Driver’s License Detailed information
Answer: It doesn’t really need any of it, yet it still collects it if it can.
There are other fields that it captures besides these ones, but they’re less interesting. You can make the argument for date of birth or sex being medically relevant.
I don’t see what, e.g., one’s religion, nationality, or marital status has to do with safety against the COVID-19 pandemic. This data collection is extraneous and potentially dangerous in the wrong hands.
Plaintext Transmission of PII to University Servers
In another part of the Safer Illinois app, Personally Identifiable Information (PII) is blatantly JSON encoded without encryption and uploaded to the user profile of a remote service.
It’s worth emphasizing: There is no client-side encryption on this PII. Not only did I look at the source code on Github, but I reverse engineered their Android app to make sure it wasn’t introduced through some abstraction layer. It’s not even using the weaksauce modes provided by Flutter!
The only meaningful encryption provided by Safer Illinois is for the HTTP requests and responses–which are presumably protected by TLS, just like my blog posts. (Let’s hope they configured that correctly.)
How Safe is Safer Illinois Really?
Let’s revisit that fancy graphic from above.
With only a casual review of the Safer Illinois source code and decompiled Android app, I was able to confirm that the Encrypted Data layer is complete bunk, and that the De-Identified Data is at best overconfidence.
Additionally, the innermost layer (Protect Your Device) is basically, “Don’t lose physical access to an unlocked phone.” That’s not a meaningful security or privacy control beyond the usual administrative practice of tut-tutting at college students.
Given that PII is transmitted to the server without client-side encryption, we can unfortunately rule Control Your Privacy out too. You have no way of verifying that your data is ever deleted server-side, because any mechanism for doing so is susceptible to spoofing attacks if the server is malicious or compromised.
That’s 4 down, 1 to go, and we can’t test the last one without violating the Computer Fraud and Abuse Act of 1986, which I’m not about to do. So who really knows? Let’s give that point to them.
For the sake of the University students that have to use this app to attend class in person, I sure hope the outermost layer of this onion holds true–but that’s an awful lot of trust to put in only one layer of their security onion.
Forget the NIST audit; the Safer Illinois app needs a lot of development work. Focus your money on that first, and then you can pursue your shiny audit paperwork later.
In Closing
Even if you totally forgive the reliance on unauthenticated ECB/CTR in the contact tracing protocol that Google and Apple published in early 2020, the Safer Illinois app simply fails to provide the level of privacy assurance that it tries very hard to sell to students on their website.
To meet the expectations set by their FAQ page:
- PII should be encrypted with client-side encryption, using a secure mode (e.g. AES-GCM), with keys that do not leave the device.
- Where ever asymmetric cryptography is warranted (e.g. for limited sharing with user consent), don’t use RSA in an insecure padding mode.
If their website was a little more humble, this app wouldn’t be such a bitter disappointment.
That being said:
If you’re a University student that has to use this app: DO NOT stop using the app.
Getting the COVID-19 pandemic under control is a much higher priority than meeting the security bar of a cryptography blogger with a fursona. These are fixable weaknesses.
If you’re worried about their lack of client-side encryption for PII uploaded to their server, talk to the developers and your University. Pressure them to solve this problem (correctly).
If you’re worried the University will somehow screw the cryptography implementation up, tell them to ask me to review it. I’ll be sure to update this blog post if I’m given the chance.
Acknowledgements
Vega Deftwing of Opinionated Guides had the curiosity and initiative to ask about the security of the Safer Illinois and Safer Community apps. The Internet becomes a safer place for everyone the more people allow themselves to be curious about the security of the tools, products, and services that underpin our modern society.
One reply on “Safer Illinois, Isn’t”
[…] Cryptography and privacy weaknesses with Safer Illinois and the Safer Community apps […]