COVIDSafe Tries to Indefinitely Connect to Every Device It’s Handshaked Thanks to Yet Another Bug

covidsafe bugs coronavirus
Image: Getty Images

COVIDSafe is probably not the promised ‘sunscreen’ all Australians need to weather the coronavirus pandemic. It could still prove to be a useful tool to help health authorities with contact tracing efforts, but a new critical bug is undermining that.

The bug affects Apple devices and was spotted by independent developer, Richard Nelson, who’s uncovered a number of other COVIDSafe bugs previously.

Once a device — with the app installed and Bluetooth switched on — completes a successful ‘handshake’ with another device, it will attempt to reconnect with it indefinitely once it’s out of range.

“When devices go out of range or switch identifier, these connections will stay pending indefinitely,” Nelson wrote.

Another independent developer, Jim Mussared, had conducted testing showing this could happen with hundreds of devices and could be part of the reason some users are reporting difficulty connecting other Bluetooth devices, like smartwatches and headphones, when the app is switched on.

As devices are changing their ‘handshake’ identifiers every few minutes, the bug causes a single device to indefinitely reconnect with multiple addresses of the same device.

“The important thing is that every phone changes its address every 10-15 minutes, and they become essentially a ‘new device’. So you can ‘see’ 100 devices in a few hours even if there are only a few devices running COVIDSafe around,” Nelson told Gizmodo Australia over email.

But Bluetooth-run devices also connect with phones through these addresses. Nelson believes there’s a limit to how many connections can run concurrently, around 100, at any one time so the bug could be preventing your smartwatch from also connecting and more damningly, stopping further contacts from being identified by the app.

The issue was first raised by Nelson on July 6 and a COVIDSafe support member responded the following day, acknowledging the team would look into it. Eleven days later, however, there’s still been no update on whether there is a fix on the way.

It comes amid a major outbreak in Victoria, totaling thousands of active cases. The app’s success during this first test has been minimal with the state’s chief health officer, Brett Sutton, stating it had not identified a close contact that manual contact tracers hadn’t already found.

“The app has not added a close contact that we haven’t found through our, you know, very extensive, long-form interview that takes an hour or more, where we go through every single setting and encounter that people have,” Sutton said at a press conference on July 15.

“There are over 300 people who have had [COVIDSafe] downloaded, who we’ve followed up as cases but as I’ve emphasised many times … policy settings in Victoria, where people are just at home with their immediate family so they are not going to large gatherings, they are not going to stand next to strangers for 15 minutes or more, and so the COVIDSafe app is not going to flag those interactions.”

Aside from affecting the app’s ability to function as intended, the persistent bugs have another negative downside — they do further damage to public confidence in COVIDSafe. If there’s a perception the app doesn’t work then a high uptake will be even harder to manage. Without a high uptake, the $2 million app will struggle to prove its worth and worse still, will fail to help Australia’s fight at limiting the spread of a deadly pandemic.

Gizmodo Australia has contacted the Digital Transformation Agency (DTA), the government agency behind the app, for a timeline on the fix and will update once it responds.