Hacker Says Security Flaw Found In Aarogya Setu App; Govt. Denies
A prominent French security researcher and ethical hacker, Baptiste Robert, yesterday claimed he had discovered a security issue in India’s Aarogya Setu app that could jeopardize medical data of 90 million Indians.
Hi @SetuAarogya,
A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?
Regards,
PS: @RahulGandhi was right
— Baptiste Robert (@fs0c131y) May 5, 2020
Aarogya Setu is the country’s official contact-tracing app to curb the spread of COVID-19. More than 90 million Indians have downloaded the app. It’s a Bluetooth and GPS-based system that alerts users if they might have come into contact with Coronavirus positive patient.
Robert, who goes by the name Elliot Alderson on Twitter, later claimed he has disclosed the security issue to the CONCERNED Ministry after they contacted him.
49 minutes after this tweet, @IndianCERT and @NICMeity contacted me. Issue has been disclosed to them.
— Baptiste Robert (@fs0c131y) May 5, 2020
Meanwhile, Aarogya Setu app officials have denied any security issues with the app. “No personal information of any user has been proven to be at risk by this ethical hacker,” a statement said.
However, the app developers confirmed the allegations of the app storing the location of the users. The statement mentions: “It is by design and clearly detailed in our privacy policy…We fetch the user’s location and store it on the server in a secure, encrypted, anonymous manner.”
Elliot appeared unimpressed by the Aarogya Setu team’s response. In a tweet, he said that he would come up with new information today.
Basically, you said "nothing to see here"
We will see.
I will come back to you tomorrow. https://t.co/QWm0XVgi3B
— Baptiste Robert (@fs0c131y) May 5, 2020
This is not the first time the French hacker has come face to face against the India government. Elliot had previously disclosed flaws in the Aadhar app, which eventually led to the report where full Aadhar details were being sold for a mere Rs 500 (~ $6) by anonymous sellers.
Also Read: India To Launch COVID-19 Tracker App For 2G Phones Without Bluetooth
The Narendra Modi led government has been actively pushing millions into downloading the Aarogya Setu app. The government recently made it compulsory for private and public sector employees to download the app and has asked for punishment if a person fails to comply with the order. One could even get jailed for not installing the app in his smartphone in a town of the Indian state Uttar Pradesh.
The government’s authoritative approach and stubbornness to hide the framework of the app has attracted concerns from privacy experts and civil rights advocates.