Indian contact tracing App – Aarogya Setu Developers trash claims of the ethical hacker who said it leaks information of 9 crore Indians
- 1 Indian contact tracing App – Aarogya Setu Developers trash claims of the ethical hacker who said it leaks information of 9 crore Indians
Long before Google and Apple announced their own contact tracing Apps, the Indian government developed and deployed its own contact tracing App called Aarogya Setu. It was a necessity in a country like India where the lives of 1.5 billion Indians were at stake due to the coronavirus pandemic. Since Indians are well connected through smartphones (500 million users), the Aarogya Setu App was designed to provide the smartphone user, the location of the nearest CoronaVirus infected patient so the user and his family can avoid that location.
What is Aarogya Setu App and how does it help you fight Corona Virus (COVID-19) infection?
Aarogya Setu is basically a contact tracing App. Aarogya Setu is developed by the National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology and is being pushed by the Government of India, as the one-stop solution for contact tracing as the COVID lockdown continues in the country. It has been made mandatory for employees of all private companies, and government employees also have to install the app on their phones.
It records the users’ latitude and longitude when he downloads the App and interposes it with the data of coronavirus infected patients already available with it through ICMR. The result is that it can warn the smartphone user about his/her proximity to a person who is already identified as CoronaVirus Positive. It also shows the user whether he/she is in a containment zone/hot zone(Red Zone).
After Indian Prime Minister, Narendra Modi appealed to the Indians in a countrywide telecast to download Aarogya Setu App, the App was downloaded by around 50 million Android users and relatively fewer iPhone users.
What is the hacker’s claim about Aarogya Setu App?
On Tuesday, a hacker who uses the pseudonym Elliot Alderson from the TV Serial Mr.Robot claimed that the Aarogya Setu App could potentially leak personally identifiable information about 90 million Indians through a Tweet.
A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?
PS: @RahulGandhi was right
— Elliot Alderson (@fs0c131y) May 5, 2020
In a tweet, the hacker claims he found “a security issue has been found in your app”. He further stated that the privacy of 90 million Indians is at stake. Can you contact me in private?” and tagged the developers of the Aarogya Setu App.
He followed it up with another Tweet saying that @IndianCERT and @NICMeity contacted him and he disclosed the vulnerabilities of Aarogya Setu to them.
Who is Elliot Alderson?
Elliot Alderson is a pseudonym taken by an ethical hacker, Robert Baptiste. Baptiste seems to have some interest in Indian politics. The idea of tagging Indian National Congress leader, Rahul Gandhi smacks of his political affiliation. Earlier the same hacker had claimed that he had access to the data saved by Aadhar card issuing authority, UIDAI. At that time, Telecom Regulatory Authority of India (TRAI) chairperson, R.S.Sharma had dared the hacker to leak his details. He also publicly divulged his Aadhar number for the hacker to back up his claims. The hacker’s claim fell flat as all he could do was release R.S.Sharma’s mobile number (which is publically available if you do a bit of Google Search). Other people claimed they could deposit Rs.1 (around $0.02) in Mr.Sharma’s account because of the Aadhar number. Mr.Sharma publicly ridiculed such claims in an article in the Indian Express:
“One interesting hack was to deposit one rupee in my account through the marvel of a system called UPI, which has been built by our country to enable financial inclusion on the scale we need. The world is in awe of this technology. But if you define crediting a rupee to an account as hacking, well more people might be happy to be hacked. In the last two days, there have been hundreds of attempts at false authentication from UIDAI servers and not even a single one of them has succeeded. Thus far I have not lost the challenge and I’m very confident that I will not. Yes, some distress may be caused to me by the concerted effort of so many people. However, for that Aadhaar is not to blame,”
At that time too, Elliot’s political affiliations were clear.
What is Aarogya Setu’s response to Elliot’s hack claims?
Soon after Elliot tweeted about the vulnerabilities in the App, the Aarogya Setu developers also released a statement clarifying how the app works.
In the statement, Aarogya Setu developers say that the App is designed to collect a user’s location at certain points in the process.
- When the user sets up the app and registers
- When the user makes a self-assessment
- When the user either voluntarily shares their contact tracing data from within the app or in case a self-assessment indicates COVID-positive.
This is not new. This is how the contact tracing works. Even Google and Apple are collecting users’ location details with their own contact tracing Apps. The contact tracing app won’t work if it doesn’t compare the users’ location with a corona infected patient’s location.
For Elliot’s claim that “any user can get the COVID-19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script,” the developers stated that “the radius parameters are fixed and can only take one of the five values: 500 meters, 1km, 2km, 5km, and 10km.” The default value is 1km. They say this does not compromise on any personal or sensitive data because the information is already public for all locations.
After Aarogya Setu devs released the statement, Elliot put out this tweet tagging
Do you know what triangulation is @SetuAarogya?
— Elliot Alderson (@fs0c131y) May 5, 2020
Now he has put up a video with some non-issue with Aarogya Setu’s XML style statement which is all gibberish. He has further tweeted that the Aarogya Setu has fixed the vulnerability he noticed 1 month ago.
The first time I analysed @SetuAarogya it was 1 month ago. With 1 command line it was possible to open any internal file of the app. It’s no more possible on the latest version. They fixed this issue silently. https://t.co/MVKc4wOSA9
— Elliot Alderson (@fs0c131y) May 6, 2020
As we have already pointed out Elliot’s intentions smack of political affiliation and making unproven claims, we have to wait till his promised blog post detailing the vulnerabilities in Aarogya Setu App. Mind you, if the App indeed has vulnerabilities we should welcome Elliot’s ethical hacking work.
But given Elliot’s past claims and the above tweets, it is difficult to believe him.