Continuing his rift with the Indian government, French ethical hacker Robert Baptiste, who goes by the name Elliot Alderson on Twitter, has yet again found a flaw in the Aarogya Setu, a mobile application developed by the Indian government to trace the spread of Covid-19 among the population.
According to Baptiste, anyone with the right technical know-how can find out the Covid-19 status of a given area by exploiting a flaw that allows users to set a location within the Aarogya Setu application. Using the flaw, Alderson was able to find that five people each in the Prime Minister’s Office (PMO) and defence ministry who had reported that they were feeling unwell today (May 06).
The cybersecurity expert also said that inside the Indian Parliament, an individual updated their status to infected while two people said they were feeling unwell. He also found that two people had selected the unwell option inside the Indian Army headquarters in New Delhi.
Inc42 has written to the team working on Aarogya Setu for a response. We would be updating the story as soon as there’s a response.
How The Aarogya Setu Flaw Was Discovered
In a blog titled ‘Aarogya Setu: The story of a failure’, Baptiste wrote that initially, he used the application on a rooted device to find the flaw. However, the application didn’t run due to security reasons. “After this, I decompiled the app and found where this root detection was implemented. In order to bypass it, I wrote a small function in my Frida script,” he said.
The next challenge for him was to bypass certain security certificates to monitor the network requests made by the app. Baptiste said that once he did this successfully, he was able to find an interesting option where anyone can find out how many people took the self-assessment test in any area across the country.
Baptiste was also able to choose the radius of the area which could be as little as 1 metre by using triangulation technology. “When the user is clicking on one of the distance, his location is sent and the radius chosen is sent,” he added. After this, Baptiste was able to get the number of infected, unwell and positive people in any given area.
Government Defends Aarogya Setu App
Baptiste wrote the blog after teasing a big announcement for the past few days. In a tweet, Baptiste claimed that he found security concerns on the Aarogya Setu app, adding that the Congress leader Rahul Gandhi was right in calling it a surveillance tool.
A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?
PS: @RahulGandhi was right
— Elliot Alderson (@fs0c131y) May 5, 2020
While Baptiste didn’t elaborate on the type or depth of issues he has found in Aarogya Setu, he got in touch with the Indian Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC) after his tweet.
In response, the Indian government has denied any security issues in the app, which was developed in a public-private partnership. “No personal information of any user has been proven to be at risk by this ethical hacker,” the government tweeted through the Aarogya Setu official Twitter handle.
— Aarogya Setu (@SetuAarogya) May 5, 2020
Earlier, two days after the app’s launch, the ethical hacker had highlighted that it was possible to open any internal file of the app with one command. He claimed that the government had “silently” fixed the issue later.
The first time I analysed @SetuAarogya it was 1 month ago. With 1 command line it was possible to open any internal file of the app. It's no more possible on the latest version. They fixed this issue silently. https://t.co/MVKc4wOSA9
— Elliot Alderson (@fs0c131y) May 6, 2020
Besides Baptiste, many other internet privacy rights groups had raised alarms about the potential for abusing the Aarogya Setu app’s location tracking and using it for reasons other than contact tracing. The government, as well as the startup partners working on the app, have time and again denied that the data will be used beyond the pandemic and have also said that it would be deleted once the threat of Covid-19 has been eliminated.
With inputs from Kritti Bhalla.