French hacker details security flaws in Aarogya Setu app, alleges privacy issues

Elliot Alderson, the Paris-based ethical hacker who claimed that the privacy of more than 90 million Indians using the Aarogya Setu app was at stake, has now alleged that it is possible to hack into the application, fake the location and get details of any app user within any desired radius.

 In a blog post titled ‘Aarogya Setu: The story of a failure’ on Wednesday, Alderson detailed security issues in the app, claiming that “an attacker can know who is infected anywhere in India, in the area of his choice.”

Location

“I can know if my neighbour is sick for example. Sounds like a privacy issue for me…” he wrote.

Alderson demonstrated how an ethical hacker sitting in France could hack into the Aarogya Setu app, fake the location as the prime minister’s office, Indian Army headquarters, the Indian parliament or the ministry of defence and get details regarding the health of the people in the building.

The engineer turned ethical hacker claimed to fake his locations and find out how many people the following locations were self-assessed, unwell, had tested Covid-19 positive and tested ‘bluetooth positive’. He placed the radius at 500 metres. 

And yes, yesterday:
- 5 people felt unwell at the PMO office
- 2 unwell at the Indian Army Headquarters
- 1 infected people at the Indian parliament
- 3 infected at the Home Office

Should I continue?

— Elliot Alderson (@fs0c131y) May 6, 2020

 Proximity 

Alderson alleged that radius parameters could be altered, a claim that contradicts the Aarogya Setu app developers’ assurances on proximity issues. 

“The radius parameters are fixed and can only take one of the five values: 500 meters, 1km, 2,km, 5km and 10km,” the developer team said on microblogging platform Twitter early Wednesday.

Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom

— Aarogya Setu (@SetuAarogya) May 5, 2020

However, Alderson said he was able to modify the assessment area. 

“It was totally possible to use a different radius than the five hardcoded values, so clearly they are lying on this point and they know that,” Alderson wrote .

Alderson also said that any hacker can set the location as close as one meter and get details about users. This can be done using triangulation.

Triangulation refers to a method by which a mobile phone’s location can be tracked if the user is in proximity to three or more nearby cell phone towers. Due to the point of overlap of the three signals, an estimate of the location of the mobile phone can be determined based on the distance from the three towers.

“Thanks to triangulation, an attacker can get with a meter precision the health status of someone,” Alderson wrote.

Rooted phones 

Alderson claimed he was able to use the application on a rooted device. Rooted or jailbroken devices allow a hacker to get access to the operating system code of the smartphone, or provides privileges to modify the software code.

The Aarogya Setu App has a basic security framework restriction where it warns the users that “the application cannot be used due to security restrictions (rooted device).”

How Alderson was able to use the app on a rooted device

However, Alderson claimed that he was able to bypass this security feature.

“I decompiled the app and found where this root detection was implemented. In order to bypass it, I wrote a small function in my Frida script,” he wrote.

“The next challenge was to be able to bypass the certificate pinning implemented in order to be able to monitor the network requests made by the app,”  he said.

Read: Aarogya Setu app gets privacy policy changes, state-wise dashboard

The alleged security issues could come as a cause of concern for the Aarogya Setu developers and the government, which has been aggressive in its push to make users download the application. Recently, the app was also made compulsory for government employees as well as private firm workers.

The police in Noida, Uttar Pradesh, has even stated that non-users in the city could attract a fine of Rs 1,000 or imprisonment up to six months.

The Aarogya Setu app developers are yet to officially respond to the allegations made by Alderson in his latest blog post. 

TechCircle also reached out to the Ministry of Electronics and Information Technology and Aarogya Setu’s official email for clarification on the issue. However, the emails did not elicit a response at the time of publishing this article.

Meanwhile, New Delhi based technology policy think-tank The Dialogue has released a fourteen-point framework that could strengthen the privacy standards and protocols of the Aarogya Setu app. 

The framework aims to provide a guide to the government on how the app could be made better in terms of legality, transparency, verifiability, data minimisation and a host of other factors. 

“Unauthorised and unfair processing of personal information will result in a trust deficit and the need of the hour is a balancing act between an individual’s privacy and public health,”Arya Tripathi, principal associate, PSA and co-author of the framework, said in a statement. 

Tripathi also said that it was important for the government to win public consensus instead of making the application compulsory for certain individuals.

---