The COVID-19 contact tracing app of India, Aarogya Setu is infamous for being pushy by the ruling government, and accusations from opposing parties for being a surveillance tool. While the politicians are engaged in a dog fight over this, a hacker named Elliot Alderson, who previously uncovered the weak security of India’s Aadhaar system, has now come up again with the same claims in Aarogya Setu app!
Flaws Letting Internal Access
As per his medium blog post, he detailed how anyone can know the precise location of an infected person anywhere in India, from anywhere. He first uncovered a bug issue on April 3rd, just two days after the app was launched. This is regarding a WebViewActivity that’s more concerned with web pages. But, a deeper analysis reveals it can trigger the dialer and pre-dial a number.
— Elliot Alderson (@fs0c131y) April 3, 2020 Further, there’s no proper host validation done by the app, letting anyone access the internal files regarding COVID-19 collected by the app. He demonstrated this via a video proof, and Indian authorities have removed it in their next update.
Flaws Retrieving More Data Than Required
But the next update has given Elliot more fun. Version 1.1.1 of Aarogya Setu, which Elliot tested on a rooted phone on May 4th, has given him the ability to know who’s sick anywhere in India! This happened when he bypassed the certificate pinning function, in order to monitor the traffic requests made by the app. And these findings revealed much more than what’s necessary. A feature in the Aarogya Setu app lets users know how many have done the self-assessment test within his area. And this region limit can be set to five ranges like 500m, 1km, 2km, 5km or 10km. Upon choosing a distance range, the precise location of the user (latitudes and longitude coordinates) and the radius (range) set by him will be sent to government servers to return the data count of self-assessment tests requested. But, it’s retrieving a lot more than requested. The data Elliot (or anyone) can able to obtain is
Number of unwell people, Number of infected people Number of people declared as Bluetooth positive, Number of self-assessment made around you and; The number of people using the app around you.
The last thing Elliot trailed is to set the range manually of his choice, which is not available in the app. And it worked. He set a range of 100km and got the information as said. Further, one can also set his/her location as they desire! Elliot trailed by setting his location to New Delhi and got the results as claimed. At last, he says this is a serious privacy breach and should be taken care of. Though the IT minister has previously assured the app’s safe, minor tweaks into the project’s code can give you precise details regarding COVID-19 of anyone in India now. Elliot is now even asking the Indian government to make the Aarogya Setu app’s source code public, as made by other nations. Source: Elliot Alderson