'Open Source Aarogya Setu app': French hacker debunks security theory, calls it surveillance system

By Amritha Mohan  Published on  9 May 2020 6:55 AM GMT
Open Source Aarogya Setu app:  French hacker debunks security theory, calls it surveillance system

Hyderabad: Puncturing the COVID safety balloon of the government, a top ethical hacker and cybersecurity expert from France has stated that the Aarogya Setu app is basically a surveillance system, and has started trending the hashtag #OpenSourceAarogyaSetu.

Taking to Twitter, the ethical hacker who goes by the moniker Elliot Alderson said that the moment a government forces its citizens to install an app, “it’s probably a good moment to be worried.” In Noida, citizens can be imprisoned up to 6 months or fined up to Rs 1,000 for not downloading the Aarogya Setu app.

Security issues in Aarogya Setu app

The ethical hacker pointed out several security issues including a flawed privacy policy. In another article published in Medium, the hacker said access to the app’s internal file is easy for any hacker. “With only one click, an attacker can open any app internal file, including the local database used by the app called fight-covid-db,” he said.

The second issue that was highlighted by Alderson was that if an attacker modifies his or her location and sets the radius of contact tracing under 100 km, he will be able to get the data of all those who are infected near him.

For instance, he shows how he had set his location to Mumbai and set the radius to 100 km, and got the required information. “Thanks to this endpoint, an attacker can know who is infected anywhere in India, in the area of his choice,” he said.

The hacker said the makers of the app admit that the user can get the data for multiple locations. “It is totally possible to use a different radius than the 5 hardcoded values…they also admit a user can get the data for multiple locations,” Alderson said, referring to a response from Aarogya Setu officials.

Aarogya Setu responded to these claims by asserting that no personal information of any user has been proven to be at risk by this ethical hacker. “We are continuously testing and upgrading our systems. Team Aarogya Setu assured everyone that no data or security breach has been identified,” it said.

Next Story