Why India’s contact tracing app is a privacy nightmare

in Project HOPE5 months ago (edited)

5.png
Image Source

“All human beings have three lives: public, private, and secret.” –Gabriel Garcia Marquez

I woke up today morning to see #OpenSourceAarogyaSetu was trending on twitter. Aarogya Setu is the contact tracing app of the Indian government. It is supposed to help to combat COVID-19 by tracing locations of the affected people. The app is available in Google PlayStore and it has been already downloaded by 90 million people. Government has dictated installation of the app mandatory for all private and government employees. I also received a mail a few days back from my employer to install it without any delay as mandate. In some parts of India, there is scope of imprisonment and monetary penalty if the app isn’t installed in anyone’s mobile phone.

Ethical hacker Robert Baptiste aka Elliot Alderson recently hacked the app and exposed considerable security breaches. He tweeted somedays back, “5 people felt unwell at the PMO office. 2 unwell at the Indian Army Headquarters. 1 infected people at the Indian parliament. 3 infected at the Home Office. Should I continue? Alderson is a reputed ethical hacker. Earlier he exposed security issues of several government services and systems. He attained good fame by exposing the India government’s biometric authentication system Aadhar’s loopholes. Alderson started to analyze Aarogya Setu almost 1 month back and tweeted about some security issues. With 1 command line, it was possible to open any internal file of the app. The makers of the app took notice of the matter and fixed that.
Screenshot_20200507152527_2.png
Tweet of Alderson on 4th April’20 informing first set of issues

Some days back, he made a detailed medium post to declare more security threats. It created ripples in the social media and many users started to delete the app. Political controversy arose and ultimately terrible mud-slinging started between the government and the opposition parties.

Let’s understand how the Aarogya Setu app works. A user registers in the app by his/her mobile number and self-declared health status. The status is anonymously broadcasted along with the user’s GPS location. A user can choose the radius of the area (like - 500m, 1km, 2kms, 5kms or 10kms) and see how many are affected in that area. The endpoint of the app returns a lot of anonymous information. Unlike majority of the contact tracing apps being used in European countries, Aarogya Setu does contact tracing via GPS rather than Bluetooth data alone.
Screenshot_20200507160523_2.png
Screenshot of Aarogya Setu app

Now Alderson was able to modify the location to get information anywhere in India. It has several implications. It is possible to attack the system through triangulation attack in an area where infections are very distributed.
IndiaMap_Untitled1_casey_chin.jpg
Image Source - A sample triangulation attack targeting the Indian Parliament

Triangulation is a trigonometric method of determining the position of a fixed point from some angles. It is a method of surveying. The same method can be used by the attackers to find out the number of infected people in a particular area with high precision. Not getting my point? Let me be very particular. If I know my Prime Minister’s GPS location, I can confirm the diagnosis of my Prime Minister through triangulation attack. A terribly flawed implementation of contact tracing system has exposed the entire population of possible leakage of sensitive medical information.

India government has denied any such vulnerability in the contact tracing app. NIC, the government agency behind the app, accepted that, "The user can change the latitude/longitude to get the data for multiple locations” but they also said that the GPS spoofing was a feature and not a bug ! Yes, triangulation attack has some limitations but privacy violation scope of the whole Indian population for the sake of public health has been exposed. Similar privacy and security breach issues are being found with contact tracing apps of some other countries also. Apple and Google recently stated they would ban GPS tracking and develop a new contact tracing system. Mark Twain once said, “Loyalty to the nation all the time, loyalty to the government when it deserves it”. We’ve surrendered our loyalty to the government due to the pandemic but it is high time that the government builds apps keeping in mind privacy and security.

Sort:  

@tipu curate

Upvoted 👌 (Mana: 12/30)

Mark Twain once said, “Loyalty to the nation all the time, loyalty to the government when it deserves it”. We’ve surrendered our loyalty to the government due to the pandemic but it is high time that the government builds apps keeping in mind privacy and security.

Actually privacy and security is the main thing. if i talk about me i have never installed it and the next day i seen that trend.

Haha...But I had to as it was made mandatory by my employer as per govt. Notice

I am really happy that they decided not to use the app here in Belgium 😧

Thank god

I agree with you but the government has announced that they will not disclose any information.

A hacker doesn't need the permission of the government to hack the system and dump the data.

Correct high security can prevent. There is no any app which is not accessing our location and information.

Thanks for your attention. :) GPS spoofing is the basis of a triangulation attack. Normally no app, which has access to your GPS location, allows you to spoof your GPS coordinates. This app allows. GPS spoofing can't be a feature. It is a vulnerability.

The below mentioned is the proof that the app allows GPS spoofing. This is from the makers. They are so dumb that they call it a feature.
mq6knu.jpg

Thanks a lot for sharing this information @paragism, it was very interesting to read about these security risks with this particular app, though I do suppose that many apps from other countries that also tracks Corona cases is in danger of getting hacked too, keep up your great work, it's awesome.



Made in Canva


This post is AWESOME!

Therefore it has been manually upvoted with 100% and reblogged by @thisisawesome, I manually upvote and reblog 1 post per day for the Awesome Daily Spotlight, and I also promote that post on Twitter, and it will be included as the Awesome Daily Spotlight in the Awesome Daily Curation post of today, and it will also be featured in the Awesome Weekly Spotlight that is posted on Mondays.

The goal of this project is to "highlight Awesome Content, and growing the Hive ecosystem by rewarding it".


Source

Many thanks

Thanks @paragism, and stay awesome.