The University of Nebraska-Lincoln earlier this week announced it would no longer require students, faculty and staff to use the Safer Community app to enter buildings on campus.
Chancellor Ronnie Green, in an email Wednesday, said the app will still be used in the spring semester to notify members of the UNL community if they have been selected for random COVID-19 testing, as well as to schedule a time they can submit a saliva sample.
But a key feature of the app — the option for users to receive notifications if they were exposed to someone who tested positive for the coronavirus — was quietly deactivated by developers in November after potential security liabilities were discovered.
The opt-in system wasn't widely used among students and staff, UNL said, and the university continued to rely upon the Lincoln-Lancaster County Health Department for contact tracing.
The problems were first noticed by student Vega Carlson, who became interested in what was under the hood of the Safer Community app when he found the product developed by Rokmetro to be “kind of a buggy mess” earlier this year.
“It just doesn’t work how it should,” said the senior computer and electrical engineering major from Ashland. “I’ve done this long enough that you kind of get a spidey sense for when something is indicative of bigger issue.”
Carlson located an open source code in an online repository for Safer Illinois, a nearly identical app to those used by UNL and the University of Wisconsin-Madison, and immediately noticed something was off.
He shared the link with a senior security engineer he met online, who quickly documented “several critical issues" within the app's security despite claims by Rokmetro it had gone through several layers of review.
Some of the problems stemmed from Rokmetro’s own code, the engineer found, while others originated “upstream,” or in products made by other companies such as Google that were integrated into the app — problems that, while unintentional, were exploitable.
“I don’t think they had the security expertise they needed to make something like this,” Carlson said.
The engineer, who goes by “Soatok” on GitHub, the online repository for software code, outlined the vulnerabilities in the Safer Illinois app in an Aug. 17 blog post, and Carlson flagged the bugs for Rokmetro’s development team on the page where the code was initially posted.
Usually, developers will go right to work fixing the problems, Carlson said. Other times, particularly with open source projects, the original developer might seek help from the community in debugging the code.
Neither of those paths happened in this case, Carlson said. Instead, Rokmetro went radio silent.
It would take nearly a month — Sept. 13 — before a Rokmetro developer acknowledged the problem and another month for the Champaign, Illinois-based company to say it was working on a fix.
Rokmetro, which did not respond to an email from the Journal Star seeking comment, then marked the issue “closed” Oct. 26 without divulging what — if anything — had been fixed, something Carlson said is highly unusual.
The next day, Carlson said he contacted Bret Blackman, vice president for information technology and the chief information officer at NU, to inform him about the potential security issues created by using the app.
“It took me a long time to report it to the university, because I was hoping (the developers) would just take care of it,” Carlson said.
Once UNL learned of the issue, it scanned the system looking to see if any of the vulnerabilities had been exploited, but found none, spokeswoman Deb Fiddelke said Thursday.
"We took it seriously and ran analysis," said Fiddelke, UNL's chief communications officer. "No data was ever breached."
Shortly after Carlson took his concerns to NU officials, Rokmetro deactivated the exposure notification feature on the Safer Community app Oct. 29.
Carlson said he was disappointed the company chose to remove what he believes is a helpful function in keeping the UNL community safe, rather than try to patch the potential security risks.
"They've had plenty of time to fix it, and instead of actually fixing it, they just said 'Let's remove a feature that matters,'" he said.
Beginning in the spring semester, the app will be used by members of the UNL community solely to schedule COVID tests.
The change comes amid the emergence of new and potentially more transmissible COVID variants, Green said in a email to campus Wednesday.
Top Journal Star photos for November
Top Journal Star photos for November
Top Journal Star photos for November
Top Journal Star photos for November
Top Journal Star photos for November
Bad Seed: Mead's fight against a toxic ethanol plant
Taylor Daum shows the Safer Nebraska app that has been used as part of COVID-19 testing on the University of Nebraska-Lincoln campus. Come this spring, UNL will only use the app to notify students and staff if they have been selected for random testing, as well as to schedule a time they can submit a saliva sample.