Aarogya Setu app is being hailed for its benefits in combating the COVID-19 crisis in India through the contact tracing system. With 9 million+ installs and with the government mandating it on citizens, the user base is only going to grow. But there's also a rising concern related to the government's contact-tracing app, and recently a French ethical hacker said a security issue exists in the app.
Soon after the Robert Baptiste, who goes by Elliot Alderson, tweeted about the security lapse in Aarogya Setu app, the NIC and CERT India contacted the ethical hacker and after reviewing the technical report, the developers released a statement, which essentially said there was no privacy risk in the app. By then, Alderson hadn't shared the security issues in the app publicly and the way the Aarogya Setu app developers described it, everything was normal.
Ethical hacker spills the beans
Alderson had said regardless of whether or not the issues were fixed, he would reveal them publicly. As promised, in a Medium blog post, Alderson explained everything that's worrisome with the app and asked the developers to "stop lying" and "denying."
Alderson summarised the issues with Aarogya Setu in three points:
- It was totally possible to use a different radius than the 5 hardcoded values, so clearly they are lying on this point and they know that. They even admit that the default value is now 1km, so they did a change in production after my report.
- The funny thing is they also admit a user can get the data for multiple locations. Thanks to triangulation, an attacker can get with a meter precision the health status of someone.
- Bulk calls are possible, my man. I spent my day calling this endpoint and you know it too.
To further strengthen his claims, Alderson revealed some details extracted from the app, according to which 5 people felt unwell at the PMO office, 2 were unwell at the Indian Army Headquarters, 1 infected person at the Indian parliament, and 3 were infected at the Home Office.
Government's defense
The government defended the Aarogya Setu app and said it is foolproof. In response to the accusations of the ethical hacker, the government released a six-page document that highlights the measures taken to protect users' data, privacy, and security.
These measures include assigning each user with a unique randomized anonymous device ID used for communications between devices and the Aarogya Setu server, data is not stored permanently, location data is accessed only in case of a positive case, personal identity is hidden, and no security breach has been identified.