Aarogya Setu GoI’s mobile application for contact tracing & dissemination COVID-19 in India is vulnerable to hacker attacks.
A French security researcher known as Elliot Alderson has discovered multiple vulnerabilities in the app.
On April the third, he showed how an attacker was able to get the content of any internal file of the app, the local database included.
Additionally as per 06.06.20 the security researcher discovered that an attacker would be able to know who is infected, unwell or made a self-assessment in the area of his choice.
This means that it is possible for him to check if someone was sick at the PMO office or the Indian parliament. Or even if a person was ill in a specific house.
Elliot Alderson disclosed he could verify that:
- 5 people felt unwell at the PMO office
- 2 sick at the Indian Army Headquarters
- 1 infected people at the Indian parliament
- 3 infected at the Home Office
After tweeting about the vulnerability, the security researcher, was contacted by the Indian Computer Emergency Response Team @IndianCERT and National Informatics Centre (NIC) of India @NICMeity.
The Team of Aarogya Setu Team came back with a statement that downplayed the findings.
Elliot Alderson, as a response, published the details of his findings inĀ a blog post. Additionally, he announced that even though the issues where dismissed, the bugs are now fixed.
Covid-19 tracing apps have the potential to use technology for a useful purpose. If done right and used by a big part of the population of a country, they can help in the fight in reducing the spread of the virus.
At the same time, they can also be a privacy nightmare if they do not provide sufficient security controls and transparency.
Edited on 07.05.2020 to add Elliot Anderson blog post and response.
piotrsec.wordpress.com 