French cybersecurity expert and hacker under the alias “Elliot Alderson” on Twitter claimed on Wednesday, 6 May, that a security vulnerability in the app allows an attacker to “know who is infected, unwell, made a self assessment in the area of his choice.”
Alderson’s claim that the app is allegedly exposing sensitive health data of millions of Indian citizens comes hours after Electronics & IT Minister Ravi Shankar Prasad as well as the Aarogya Setu team denied the existence of security issues on the app.
In a sensational claim made on Thursday, Alderson tweeted that he “was able to see if someone was sick at the PMO office or the Indian Parliament. I was able to see if someone was sick in a specific house if I wanted.”
According to the French security expert, “5 people felt unwell at the PMO office, 2 unwell at the Indian Army Headquarters, 1 infected people at the Indian Parliament, 3 infected at the Home Office.”
Alderson, however, has not elaborated on the specific nature of the flaw that has allegedly exposed data and said he will “give a technical explanation” later on Thursday.
IT Minister Prasad & App Team Deny Security Issues
Prior to Alderson’s claims, Electronics & IT Minister Ravi Shankar Prasad, earlier on Wednesday has countered his initial claims about the app having security issues. Prasad told PTI that the contact tracing app is "absolutely robust, safe and secure" in terms of privacy protection and data security.
Earlier on Wednesday, developers of the Aarogya Setu app had also responded to allegations by an ethical hacker regarding security issues in the app. The Aarogya Setu team claims that “no personal information of any users has been proven to be at risk”.
The team acknowledged some of the issues but refused to accept that they pose a security threat in any way.
Prasad also added, "This is a technological invention of India -- Ministry of Electronics and Information Technology, our scientists, NIC, Niti Aayog and some private (entities) -- whereby it is a perfectly accountable platform to help in the fight against COVID-19."
Alderson Claims App Has ‘Security Issues’
On Tuesday evening Alderson claimed on Twitter to have found a “security issue” within the Aarogya Setu app developed by the National Informatics Centre, a part of the Ministry of Electronics and Information Technology of the Indian government.
The hacker alleged that this issue puts the data of 90 million users at risk.
Elliot Alderson is the same person who had found flaws in the Aadhar app who exposed that Aadhar data was being accessed by third-party websites.
However, Prasad responded saying, “what is this hangama all about? The country has understood its utility and has willingly accepted it.”
A statement by the Aarogya Setu team addresses some of the issues that have been highlighted by the ethical hacker.
The Aarogya Setu team clarified that the app stores the location data on secure servers which are encrypted and in an anonymised manner.
The team also denied that the “users can get the COVID-19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script."
In response to this, they said that “the radius parameters are fixed and can only take one of the few values: 500 meters, 1km, 2km, 5km, and 10km. These values are standard parameters posted with HTTP headers."
The response by the Aarogya Setu team came after Elliot had tweeted out tagging Aarogya Setu’s official Twitter handle saying “A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?”
In the end, he also tagged Congress leader Rahul Gandhi who just last week had raised data security concerns related to the app. He called the app a sophisticated surveillance system.
He said that it was “outsourced to a pvt operator, with no institutional oversight - raising serious data security & privacy concerns.”
Following Rahul’s tweet, Elliot decided to deep dive into the Indian contact tracing app using an Indian mobile number for which he had requested on Twitter.
In another tweet, Elliot mentioned that 49 minutes after he had declared the security concern, he was contacted by the Computer Emergency Response Team (CERT) and the National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology.
The hacker had also said that he would disclose the flaws publicly if the issue is not fixed within a “reasonable deadline”.
Ever since its release, the Aarogya Setu app has come under severe criticism for privacy and surveillance concerns as well as the lack of audit and transparency. The app is not open source and its source code is not open to scrutiny.