Hacker red flags loopholes in Aarogya Setu app
Techie says app reveals Covid patients’ location; Centre denies flaws, but ‘fixes’ them later
A French ethical hacker on Wednesday alleged that Aarogya Setu, a Covid-19 contact tracking app promoted by the Central government, has security issues, which could allow attackers to access data of infected patients in any area of their choice.
He later claimed the Aarogya Setu team has quietly fixed the issue he flagged. He said the app, until yesterday, allowed attackers to check data of infected and unwell persons in any radius of choice.
“I was totally possible to use a different value than the five hardcoded values, They even admit that the default value is 1 km, so they did change in production after my report (sic),” he said.
He added he was happy the developers answered to his original report quickly, and even fixed some of the issues. However, he criticised them for denying the problem in the first place.
The Aarogya Setu team said information related to Covid-19 patients is already public and does not compromise on personal or sensitive data of the app users.
Robert Baptiste, better known by his Twitter handle “Elliot Alderson”, said attackers could use the flaw in the Aarogya Setu app to find the number of infected and unwell people at the Prime Minister’s Office (PMO), Indian Army Headquarters, Parliament and the Home Ministry’s Office while sitting in France.
The ethical hacker also said that he could also check if anyone was sick in a specific house, which compromises people’s privacy.
Before he putting out his findings in public, Mr Baptiste disclosed the flaw to the National Informatics Centre (NIC) and Computer Emergency Response Team (CERT-In).
The Aarogya Setu team, however, issued a rebuttal to Mr Baptiste’s claims.
On the claim of users being able to get Covid-19 statistics by changing their radius and coordinates using a script, the Aarogya Setu team said this information was already public and did not compromise on personal or sensitive data.
“No personal information of any user has been proven to be at risk by this ethical hacker [...] Team Aarogya Setu assures everyone that no data or security breach has been identified,” the statement said.
In cases of mobile apps which deal with location data (shopping sites, taxi booking services etc), users can often fake their location using GPS-spoofing applications. While frowned upon, it wouldn’t necessarily appear as a security flaw in most cases. This, incidentally, is also Aarogya Setu’s defence. This indicates that even if an attacker changes his location, the Aarogya Setu team said the attacker wouldn’t find anything that wasn’t already in the public domain.
The team also claimed a user would only be able to narrow down to a location of 500 metres radius, with the default setting being one km. However, Baptiste has claimed this isn’t true. He said he wasn’t only able to choose locations in Aarogya Setu but also set the radius of his choice — 100 metres or even 100 km.
According to Baptiste, the flaw would allow the users to point out a neighbourhood, or individual house and get the exact figures of infected persons at the location. “This would allow an attacker with knowledge of the flaw to “triangulate” infected persons, thereby breaching their privacy.” Baptiste has said he would disclose the flaw to the general public after the Aarogya Setu team fixes it. However, if the team ignores it, he said he would release it nonetheless.