French researcher flags Aarogya flaws, govt denies
According to French researcher Elliot Alderson, the Aarogya Setu application’s location functionality can be paired with a technique called triangulation, which could allow anyone who can manipulate the programme at a technical level to determine who is infected in a specific, 1-metre area.
The Union government’s Aarogya Setu application has vulnerabilities that could compromise the identity and movement of the millions of Indians who use it, according to a French computer researcher who posted a technical analysis of the flaws on Wednesday, and ostensibly illustrated how he could determine whether someone reported being infected at sensitive locations such as Parliament.
The developers of the application dismissed the findings as a risk and said it was part of the application’s design that is meant to allow users to determine who in their vicinity is unwell, infected or healthy. But the defence that was dismissed by the Frenchman – who goes by the nom de guerre of Elliot Alderson --- and a second cyber expert HT spoke to.
The government also said the platform is “absolutely robust, safe and secure”. “This is a technological invention of India -- ministry of electronics and information technology, our scientists, NIC, Niti Aayog and some private (entities) -- whereby it is a perfectly accountable platform to help in the fight against COVID-19,” Union minister Ravi Shankar Prasad told PTI.
The posts by Alderson add to the misgivings expressed by privacy experts around apps such as Aarogya Setu, which has been made mandatory for an increasing number of Indians in recent days as officials push it as a crucial tool to contain the coronavirus disease (Covid-19) outbreak.
According to Alderson, the application’s location functionality can be paired with a technique called triangulation, which could allow anyone who can manipulate the programme at a technical level to determine who is infected in a specific, 1-metre area.
Triangulation refers to the technique of using multiple data points to zero in on a precise information or location that is otherwise available on a more vague scale. “Triangulation is location tracking via multiple calls to the API (a component of the app) where at every iteration, a lower value is chosen. Say the first call could be 5 KM and then the next call would be 1 KM and so on,” said cyber security researcher Anand V.
This was possible because apps can be reverse engineered and modified to extract data that otherwise should be inaccessible. “He used a reverse engineering tool called Frida to modify the App and feed the locations via a script,” said Anand, adding that in this manner, the entire app can be rewritten to create an imitation.
“What Elliot has done is to create a modified Aarogya Setu app that simply did what it is not supposed to do. And the developers could not detect it unless he reported it,” said Anand, adding: “Imagine ISI and others doing exactly the same thing without reporting it.”
The contention by the experts is that this presented a particular risk to Indians, who can potentially be targeted by domestic as well as foreign cyber criminals. “The mandatory nature of the app has already created a thriving mod industry,” Anand said.
On April 30, security agencies warned army paramilitary troops against an Aarogya Setu imitation that was being spread to steal sensitive data, news agency PTI reported quoting officials.
MyGov CEO Abhishek Singh told HT that the concerns raised by Alderson are incorrect and of 90 million users, only the data of 0.05% users are on the server. “The app only takes basic data, and as specified in the privacy policy, all personal data is collected only once and is encrypted, after which a device ID is created. Subsequent to that, all interactions happen only with the device ID,” Singh said.
According to Anand, the vulnerability disclosed on Wednesday was one of the core issues with the Aarogya Setu: “Location collection is meaningless. It is a privacy nightmare and today’s revelations showed precisely why,” he said.
A second issue is that the Aarogya Setu uses “static ID” to store contact history. This refers to how the programme logs a close contact between two people. If person A and person B come close enough for the infection to spread between them, the app remembers the devices by using randomly generated identifiers. This identifier does not change, which means if someone can access these static IDs, they track the health status of the person.
“Any static ID that you obtain can be used to figure out what happened to the person behind the static ID,” said Anand. Alderson, in a post on Tuesday, described how he was able to break into the Aarogya Setu and access any file used by the app, which would include those that store such static IDs.
A third issue, Anand added, was that the code was not open source, which means its functionalities and vulnerabilities cannot be tested. “Make it open source to create trust and don’t bait and switch to something else that will last long after the pandemic is gone,” he said.
An official from the information and technology ministry said none of the revelations indicated Aarogya Setu had been hacked. “There has been no sort of hacking or breach of privacy in the Aarogya Setu. The allegations are based on amateur attempts by changing location and data correlation to portray it as hacking. The app would have shown similar data to anyone at a particular location. Do not indulge in petty attempts to attract attention while we are in the midst of a pandemic. Ethics are important,” said this official, asking not to be named.
Congress’s chief spokesperson Randeep Singh Surjewala said Alderson pointed out that the flaws outlined by Rahul Gandhi were absolutely correct. The problems, Surjewala added, were spread over three areas: that the Aarogya Setu’s data collection violated the right to privacy, that it was not developed by the government’s engineers and data was stored on foreign servers and that human control in the backend could manipulate the health status of an individual