Ethical Hacker Posted Privacy Flaws of Aarogya Setu App And Alerted Indian Govt.
French security researcher and a ethical hacker revealed privacy flaws in Aarogya Setu App which was launched by Government of India as a preventive measure for using it as mobile tracing application to fight against COVID19.
The application is available on PlayStore having over 90 million users. Hacker alerted Indian Government today through a tweet and asked them to contact the hacker for better understanding the issue.
The hacker tweeted several more tweets revealing that it was possible for any attacker to know the precise location of infected person anywhere in India before bringing the flaws of the app to the notice of Indian Government today. The hacker posted an online statement claiming that it was also possible to use a different radius than the 5 hardcoded values.
More clarifications:
— Elliot Alderson (@fs0c131y) May 6, 2020
- No the purpose of the app is not to know the location of ill patients
- The 1st issue I found is a security issue, the 2nd issue a privacy issue.
- If you don't care about privacy, fine for you but it's still a privacy issue.
I don't know why people are still asking what were the issues, everything is already public:
— Elliot Alderson (@fs0c131y) May 6, 2020
1) In the previous version of the app, an attacker was able to get the content of any internal file of the app, local database included.
2) Yesterday, an attacker was able to [..] https://t.co/MVKc4wOSA9
And yes, yesterday:
— Elliot Alderson (@fs0c131y) May 6, 2020
- 5 people felt unwell at the PMO office
- 2 unwell at the Indian Army Headquarters
- 1 infected people at the Indian parliament
- 3 infected at the Home Office
Should I continue?
In response to this event today, Aargoya Setu App team issued a statement:
Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom
— Aarogya Setu (@SetuAarogya) May 5, 2020
What If An Attacker Knows A Health Status Of Every Individual:
Data breaching has gained widespread attention in last one decade. Mark Zukerberg also faced tough time in 2018 on issues after Cambridge Analytica scandal.
It has been seen in several online reports that advertisers prefer Facebook more than Google to target their audience with precise location and interests. The data with more precision demographic of the user is considered more authentic and profit making as there are higher chances to convert the generated leads based on such data into selling the advertised products.
In many ways with such data the user can be influenced to choose specific medical plans; choosing beauty package; choosing health insurance and choosing life insurance plans. Moreover, such data can also be misused in various other ways for vested interests.
Union Health Ministry Believes The App Is Safe:
Union Health Ministry also released a press statement stating that Aarogya Setu Mobile App is developed by the Ministry of Electronics and IT. It enables people to assess themselves the risk of their catching the Corona Virus infection. It will calculate this based on their interaction with others, using cutting edge Bluetooth technology, algorithms and artificial intelligence. All the citizens are urged to download the mobile application. This is designed to keep a user informed, in case she/he crosses paths with someone who has tested positive.
