Flaw in Aarogya Setu app lets one see others' health status: French cybersecurity expert

'Elliot Alderson' claims he could see how many people were unwell in the PMO

Fsociety-Elliot-Anderson-Aarogya-Setu

French cybersecurity researcher Robert Baptiste who goes by the handle ‘Elliot Alderson’ has put out a blog post titled ‘Aarogya Setu: The Story of a Failure’ highlighting security lapses in the Centre’s Aarogya Setu COVID-19 tracking app that has so far been installed by over 90 million people.

Alderson claims that he was able to abuse one of the the app’s features—which allows users to see the number of people who have installed Aarogya Setu, including the number of COVID-19 positive users and of those who felt unwell in their geographic vicinity—to see the health status of any of the app's users in a geographic location within India. Alderson says he did so by spoofing his location, allowing him to view such information anywhere in India—including in the Prime Minister’s Office and in the Army headquarters.

“In the app, you have the ability to know how many people did a self assessment in your area. You can choose the radius of the area. It can be 500m, 1km, 2kms, 5kms or 10kms,” he wrote.

“Thanks to this endpoint an attacker can know who is infected anywhere in India, in the area of his choice. I can know if my neighboor [sic] is sick for example. Sounds like a privacy issue for me,” Alderson wrote.

“And yes, yesterday:- 5 people felt unwell at the PMO office

- 2 unwell at the Indian Army Headquarters

-1 infected people at the Indian parliament

- 3 infected at the Home Office” Alderson tweeted.

Prior to posting about his findings on Medium, Alderson first tagged Aarogya Setu’s developers and alerted them to a possible security vulnerability on Tuesday, saying “A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?”

Alderson ended his tweet saying, "PS: @RahulGandhi was right."

He later said that Aarogya Setu’s developers got back to him 49 minutes later.

Elliot Anderson vs Aarogya Setu

aarogya-setu A promotional graphic released to promote the use of the app

Anderson said that he began testing Aarogya Setu’s vulnerabilities within days of its launch, saying that he found an early vulnerability that allowed anybody to access the app’s files within their device. This was fixed in later versions of the app, which also prevented users with rooted devices from using it. However, Alderson says he was still able to bypass these securities by decompiling the app.

In his first alert about Aarogya Setu having a vulnerability, he referred to a tweet by Rahul Gandhi which said "The Aarogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight - raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent."

On Tuesday evening, Aarogya Setu’s developers released a statement saying they had been alerted by an “ethical hacker” of a potential security issue within the app. The first point mentioned was that the app fetches the user’s location on a few occasions. The developers responded saying, “This is by design and is clearly detailed in the privacy policy. Reproducing the same for everyone’s benefit. We fetch a user’s location and store on the server in a secure, encrypted-, anonymised manner—at the time of registration [and] at the time of self-assessment [and] when a user submits their contact tracing data voluntary [sic] through the App of when we fetch the contact tracing data of a user after they have turned COVID-19 positive.”

The second was that “user can get the COVID-19 stats displayed on the home screen by changing the radius and latitude-longitude using a script. The developers responded saying, “The radius parameters are fixed and can only take one of the five values: 500 metres, 1km, 2km, 5km, and 10km. These values are standard parameters, posted with HTTP headers. Any other value as part of the ‘distance’ HTTP header gets defaulted to 1km.”

However, on Wednesday, Alderson highlighted that “it was totally possible to use a different radius than the 5 hardcoded values, so clearly they are lying on this point and they know that. They even admit that the default value is now 1km, so they did a change in production after my report.”

Aarogya Setu had also said that, “The user can change the latitude/longitude to get the data for multiple locations. The API call though is behind a Web Application Firewall, and hence bulk calls are not possible. Getting data for multiple latitude longitude this way is no different than asking several people of their location’s COVID-19 statistics. All this information is already public for all locations and hence does not compromise on any personal or sensitive data.”

Alderson’s response on Wednesday said that “Thanks to this endpoint an attacker can know who is infected anywhere in India, in the area of his choice. I can know if my neighboor [sic] is sick for example. Sounds like a privacy issue for me.”

“The funny thing is they also admit an user [sic] can get the data for multiple locations. Thanks to triangulation, an attacker can get with a meter precision the health status of someone,” adding that “Bulk calls are possible my man. I spent my day calling this endpoint and you know it too.”

Alderson later tweeted that Aarogya Setu’s source code needs to made open source (ie visible to the public), saying that “When you ask (force) people to install an app, they have the right to know what the app is really doing.” “If you love your country @SetuAarogya, publish the source code,” he added, mentioning that Singapore, Israel and Iceland had already done so.

Aarogya Setu have yet to respond to Alderson’s latest post.

Earlier on Wednesday, Union minister Ravi Shankar Prasad told PTI that Aarogya Setu was an “absolutely robust app” in terms of privacy protection, safety and security of data.

In recent guidelines, the Ministry of Home Affairs had announced that use of the Aarogya Setu app would be mandatory for employees of public and private sector companies. Installation of the app is also mandatory in regions declared as ‘containment zones’. In Noida, authorities have made installation of the app mandatory, with criminal prosecution for those who do not do so.

Alderson has been a strong critic of India’s Aadhaar program, having revealed in 2019 how the data of 67 lakh customers was leaked via the Indane website.