Aar­o­gya Setu data a na­tional se­cu­rity chal­lenge: Experts

Govt of­fi­cials say ad­e­quate en­cryp­tion is in place but experts ar­gue that pro­tect­ing the data col­lected is a na­tional se­cu­rity chal­lenge

Hindustan Times (Amritsar) - - Front Page - Bi­nayak Das­gupta letters@hin­dus­tan­times.com ■

NEWDELHI: Data of mil­lions of In­di­ans, col­lected through the Aar­o­gya Setu app, could be vul­ner­a­ble to threats from ad­ver­sar­ial state and non-state ac­tors, ac­cord­ing to experts and for­mer in­tel­li­gence of­fi­cials. This, they be­lieve, is due to is­sues in In­dia’s se­cu­rity ca­pa­bil­i­ties.

Data of mil­lions of In­di­ans, col­lected through the Aar­o­gya Setu app, could be vul­ner­a­ble to threats from ad­ver­sar­ial state and non-state ac­tors and pose a na­tional se­cu­rity chal­lenge, ac­cord­ing to cy­ber­se­cu­rity experts and for­mer in­tel­li­gence of­fi­cials. This, they be­lieve, is due to is­sues in In­dia’s se­cu­rity ca­pa­bil­i­ties and cy­ber hy­giene prac­tices.

In­dian govern­ment of­fi­cials re­ject th­ese con­cerns, say­ing their en­cryp­tion stan­dards have ad­e­quate pro­tec­tion against data or net­work breaches.

This dif­fer­ence of opin­ion is at the heart of a con­tro­versy sur­round­ing trac­ing apps that store sen­si­tive per­sonal data to aid in the fight against the coron­avirus disease -- with one side say­ing that the po­ten­tial risks are ei­ther non-ex­is­tent or a small com­pro­mise; and the other ar­gu­ing that the in­for­ma­tion is far more valu­able and dan­ger­ous than govern­ments com­pre­hend, not just from a pri­vacy per­spec­tive but also on the se­cu­rity front.

Aar­o­gya Setu is meant to trace close con­tact be­tween peo­ple so that they can be reached in the event any of them is in­fected with Covid-19. Ac­cord­ing to of­fi­cials, at least 110 mil­lion peo­ple have signed up on it, and while a rule mak­ing it manda­tory for of­fice-go­ers to in­stall it was par­tially re­laxed last week, on Wed­nes­day the govern­ment said air pas­sen­gers must in­stall it if they are tak­ing a flight.

“Na­tional data­bases in gen­eral are a huge cause of con­cern. Some­times, leaks don’t even ap­pear on the dark web. They are sim­ply scooped away for do­ing pas­sive pro­fil­ing of cit­i­zens of ad­ver­sar­ial coun­tries,” said Pukhraj Singh, a cy­ber threat in­tel­li­gence ex­pert, who was in­volved in the de­tec­tion of the breach at the Ku­danku­lam Nu­clear Power Plant last year.

Con­cerns ex­pressed by Singh were en­dorsed by two ex-in­tel­li­gence of­fi­cers who have held se­nior po­si­tions in the Nat­grid and the NTRO – two of In­dia’s main agen­cies tasked with dig­i­tal in­tel­li­gence gath­er­ing.

The threat is par­tic­u­larly se­ri­ous due to the na­ture of in­for­ma­tion in­volved, one of the for­mer in­tel­li­gence of­fi­cers cited above said. He added that users part with in­for­ma­tion that can di­rectly iden­tify them, where they have been, and what health con­di­tions they suf­fer from, mak­ing it a tar­get for com­mon cy­ber crim­i­nals who can of­fer th­ese up on the dark web for a price, as well as state-backed hack­ers for es­pi­onage.

Govern­ment of­fi­cials again re­jected th­ese con­cerns, say­ing that their data en­cryp­tion stan­dards have ad­e­quate pro­tec­tion against breaches. mil­lion sign-ups, ac­cord­ing to govern­ment of­fi­cials. The process re­quires users to de­clare their mo­bile num­bers, name, gen­der, age, and whether they be­long to a set of high-risk pro­fes­sions, such as law en­force­ment or health care.

The ap­pli­ca­tion then rou­tinely asks peo­ple to “self-as­sess” their health by an­swer­ing ques­tions such as whether they have any of the symp­toms associated with Covid-19 or if they have a his­tory of di­a­betes, hy­per­ten­sion or obe­sity – fac­tors that make peo­ple more sus­cep­ti­ble to the disease.

The sec­ond re­tired in­tel­li­gence of­fi­cial de­scribed three sce­nar­ios in which such breaches can be dan­ger­ous. “The first risk comes from any hacker who wants to profit from the data. For in­stance, some­one can leak the data about the num­ber of peo­ple who iden­ti­fied as di­a­bet­ics and sell it to a com­pany mak­ing in­sulin for tar­geted ads, or to an in­sur­ance com­pany to deny claims.”

He said that the sec­ond is what the govern­ment it­self can do. “Un­for­tu­nately, no mat­ter what le­gal pro­to­cols you put in place, the sov­er­eign can al­ways find ways to use this data for pur­poses they were not meant for.”

But it is the third use which po­ten­tially is the most haz­ardous, he said. “The third, and the high­est risk, is from geopo­lit­i­cal ad­ver­saries who can use this data for a wide va­ri­ety of rea­sons. They can mis­use it to iden­tify and tar­get par­tic­u­lar cit­i­zens, such as a bu­reau­crat or a politi­cian, or they can sim­ply scare peo­ple into not trust­ing their govern­ment with any data”, this per­son said, ask­ing not to be named.

“Most state-ini­ti­ated hacks are not even known to the pub­lic. What you hear about nor­mally are am­a­teur­ish at­tempts. The re­ally so­phis­ti­cated ones have been very hard to de­tect,” this per­son added.


Fun­da­men­tally, data breaches can hap­pen in two ways. The most com­mon method is de­ceiv­ing some­one into di­vulging sen­si­tive in­for­ma­tion or giv­ing a hacker priv­i­leged ac­cess – a tac­tic com­monly known as a phish­ing at­tack. Such tac­tics have been used in the past by hack­ers to ob­tain back-door ac­cess – by fool­ing, for in­stance, an IT man­age­ment staff – to sen­si­tive net­works used by banks or govern­ment of­fices.

Both th­ese meth­ods have proven to work – of­ten in com­bi­na­tion – to com­pro­mise the more se­cure of sys­tems. Zero-day hacks have been car­ried out by state-linked hack­ers and is a risk that can­not be ruled out, the sec­ond in­tel­li­gence agency vet­eran quoted above said.

Till now, of­fi­cials have not de­tected such an at­tempt on health data in In­dia. “The data is fully se­cure; our en­cryp­tion and data stor­age poli­cies will en­sure that there is no breach. Sen­si­tive data of our cit­i­zens is kept in a man­ner where there is no unau­tho­rised ac­cess to the data,” said Ab­hishek Singh, CEO of MyGov, one of the govern­ment agen­cies in­volved in the Aar­o­gya Setu project.


There is a third risk fac­tor associated with the Aar­o­gya Setu push – mod­i­fied or im­pos­tor ap­pli­ca­tions that look like Aar­o­gya Setu but are spy­ing tools. Th­ese have been spread us­ing the same tech­niques as phish­ing, of­ten through mes­sag­ing ap­pli­ca­tions or via links sent over What­sApp. While this might not ex­pose the en­tire data­base, it could com­pro­mise in­di­vid­u­als who are suc­cess­fully tar­geted.

The Union home min­istry is­sued a warn­ing in late April — the same month Aar­o­gya Setu was launched — about such fake apps be­ing sent to In­dian sol­diers and para­mil­i­tary per­son­nel through What­sApp, me­dia re­ports said last month.

“In the cur­rent ver­sion of the app, there is no pro­tec­tion against an in­ter­nal mod­i­fi­ca­tion. So, it’s quite easy to cre­ate a mod­i­fied ver­sion of the app. Of course, a mod­i­fied ver­sion of Aar­o­gya Setu can be­come vi­ral. Es­pe­cially now, (since) Aar­o­gya Setu is a big topic in In­dia,” said Bap­tiste Robert, a France-based cy­ber se­cu­rity researcher who is more com­monly known by his nom de guerre Elliot Alder­son.

Robert first found flaws in an ear­lier ver­sion of the In­dian app that al­lowed ac­cess to in­ter­nal pro­gramme files, which could lead to an at­tacker ac­cess­ing the data the Aar­o­gya Setu col­lects.

On May 14, researcher at an­ti­mal­ware prod­uct de­vel­oper ESET shared screen­shots show­ing one such im­pos­tor ap­pli­ca­tion with the same logo and name as the real Aar­o­gya Setu, but was ac­tu­ally spy­ware. “It’s SpyNote - RAT (re­mote ac­cess tro­jan) tool. It’s not cre­ated by IN govt... [Spynote can] log user key­strokes, steal SMS, wipe de­vice, steal con­tact list, take cam­era pics, record au­dio, in­stall ad­di­tional apps, re­set de­vice PIN and make calls,” wrote Lukas Ste­fanko,

MyGov’s Singh said im­pos­tor ap­pli­ca­tions were be­ing spread and peo­ple were be­ing asked to down­load it, “which is not right”. “Th­ese imposter apps can­not come on PlayS­tore and we have en­sured that. Peo­ple usu­ally down­load top-rated apps from PlayS­tore and the Aar­o­gya Setu is highly rated,” said Singh.


Researcher Pukhraj Singh re­counted sev­eral of the past hacks (see box) that ex­tracted govern­ment per­son­nel data, med­i­cal records and bank­ing in­for­ma­tion. “It has hugely upset Amer­i­can in­tel­li­gence col­lec­tion pro­grams, es­pe­cially the ones re­ly­ing on HUMINT (hu­man in­tel­li­gence). Main­tain­ing in­tel­li­gence cover has be­come close to im­pos­si­ble now,” he said.

“The prob­lem is that we see data­bases in iso­la­tion. (But) they are like lobes to a ner­vous sys­tem. The more data­bases ad­ver­saries have ac­cess to, the more they are able to con­trol the sys­tem,” Singh said, adding that In­dia needs to “un­der­take a kind of cost-ben­e­fit as­sess­ment and a whole-of-govern­ment pos­ture re­view to know what we are re­ally do­ing with the data that is be­ing col­lected”. The sec­ond of the two for­mer in­tel­li­gence of­fi­cial quoted above con­curred with the po­si­tion.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.