French security researcher Robert Baptiste (going by the pseudonym Elliot Alderson, or @fs0c131y on Twitter) posted that several Indian government officials are currently unwell, and that he got this information thanks to a flaw in the Aarogya Setu coronavirus contact tracing app which was made by NITI Aayog along with a number of volunteers. Baptiste has claimed that a vulnerability in the Aarogya Setu app let him see who is infected, unwell, and who has made a self COVID-19 assessment. Although he was initially contacted by Indian cyber security agencies, the team behind Aarogya Setu refuted his claims, and on Wednesday IT Minister Ravi Shankar Prasad also assured the people that the app was secure. In response, Baptiste has revealed some of the details he got through the app, and added that he will reveal detailed information soon.
The researcher, through his Twitter account Elliot Alderson, took a dig at the recent claim made by the Union IT Minister, saying that the Aarogya Setu app is “absolutely robust app in terms of privacy protection and safety, security of data.” He highlighted that he was able to find the loophole that allowed him to see anyone who has reported infection, unwell, or made a self assessment through the Aarogya Setu app in a particular area.
He added that on the basis of the data he obtained for Tuesday through the app, he was able to see that five people felt unwell at the PMO, two unwell at the Indian Army headquarters, and one person was infected at the parliament.
“Basically, I was able to see if someone was sick at the PMO or the Indian parliament. I was able to see if someone was sick in a specific house if wanted,” he tweeted. He also underlined that he was able to find a flaw early last month through which an attacker could access any internal file of the app using a single command, though this was fixed silently by the team behind the Aarogya Setu app.
Update: As promised, Baptiste added an update where he shared a blog post detailing the security flaw in the app. He explained that an attacker can get information about the unwell people/ people who have done a self-assessment near them in a fixed radius. Further, he found that by changing his location to different places, he can see who is unwell there — such as finding unwell people within 500 metres of the heart of parliament. He added that the radius can be expanded beyond the maximum 10 kilometres in the app, to get information about all the people in a city, for example. Further, by triangulating this information choosing multiple locations to check from, Baptiste said he was able to get information within one meter of accuracy.
Gadgets 360 has reached out to the Aarogya Setu app team to get clarity on the issue raised by the researcher and will update this space as and when it responds.
Refusal so far
The tussle between the researcher and the Aarogya Setu team started on late Tuesday. He claimed that he had found a “security issue” within the app that has put the privacy of over nine crore Indian users at risk. In response, the team posted a note on Twitter on early Wednesday that refuted the existence of the issue.
“No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified,” the team wrote in the note.
Concerns due to its wide adoption
The Aarogya Setu has already been used by a large number of users in India — mainly to limit the spread of the novel coronavirus in the country. It was originally voluntary to use, though that nature has quickly been evolving and transforming into mandatory. It is required in various private and government offices as well as by the workers who deliver food and other essential goods. Recently, the Noida police have started enforcing the use of the app as well. All this has swelled the usage to new levels.
In the recent past, the growth in the adoption of the Aarogya Setu app has also pushed some criticism from groups such as the Software Freedom Law Center, India (SFLC.in) and the Internet Freedom Foundation (IFF). A part of the society is also questioning the efforts making it mandatory for citizens.
In 2020, will WhatsApp get the killer feature that every Indian is waiting for? Samsung Galaxy S20 in India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.