Hyderabad: Puncturing the COVID safety balloon of the government, a top ethical hacker and cybersecurity expert from France has stated that the Aarogya Setu app is basically a surveillance system, and has started trending the hashtag #OpenSourceAarogyaSetu.
Taking to Twitter, the ethical hacker who goes by the moniker Elliot Alderson said that the moment a government forces its citizens to install an app, “it’s probably a good moment to be worried.” In Noida, citizens can be imprisoned up to 6 months or fined up to Rs 1,000 for not downloading the Aarogya Setu app.
Security issues in Aarogya Setu app
The second issue that was highlighted by Alderson was that if an attacker modifies his or her location and sets the radius of contact tracing under 100 km, he will be able to get the data of all those who are infected near him.
A mobile application that send your GPS coordinates regurlaly to a server owned by a government is a surveillance system.#AarogyaSetu is a surveillance system
— Elliot Alderson (@fs0c131y) May 8, 2020
For instance, he shows how he had set his location to Mumbai and set the radius to 100 km, and got the required information. “Thanks to this endpoint, an attacker can know who is infected anywhere in India, in the area of his choice,” he said.
The hacker said the makers of the app admit that the user can get the data for multiple locations. “It is totally possible to use a different radius than the 5 hardcoded values…they also admit a user can get the data for multiple locations,” Alderson said, referring to a response from Aarogya Setu officials.
Aarogya Setu responded to these claims by asserting that no personal information of any user has been proven to be at risk by this ethical hacker. “We are continuously testing and upgrading our systems. Team Aarogya Setu assured everyone that no data or security breach has been identified,” it said.