“All human beings have three lives: public, private, and secret.” –Gabriel Garcia Marquez
I woke up today morning to see #OpenSourceAarogyaSetu was trending on twitter. Aarogya Setu is the contact tracing app of the Indian government. It is supposed to help to combat COVID-19 by tracing locations of the affected people. The app is available in Google PlayStore and it has been already downloaded by 90 million people. Government has dictated installation of the app mandatory for all private and government employees. I also received a mail a few days back from my employer to install it without any delay as mandate. In some parts of India, there is scope of imprisonment and monetary penalty if the app isn’t installed in anyone’s mobile phone.
Ethical hacker Robert Baptiste aka Elliot Alderson recently hacked the app and exposed considerable security breaches. He tweeted somedays back, “5 people felt unwell at the PMO office. 2 unwell at the Indian Army Headquarters. 1 infected people at the Indian parliament. 3 infected at the Home Office. Should I continue? Alderson is a reputed ethical hacker. Earlier he exposed security issues of several government services and systems. He attained good fame by exposing the India government’s biometric authentication system Aadhar’s loopholes. Alderson started to analyze Aarogya Setu almost 1 month back and tweeted about some security issues. With 1 command line, it was possible to open any internal file of the app. The makers of the app took notice of the matter and fixed that.
Tweet of Alderson on 4th April’20 informing first set of issues
Some days back, he made a detailed medium post to declare more security threats. It created ripples in the social media and many users started to delete the app. Political controversy arose and ultimately terrible mud-slinging started between the government and the opposition parties.
Let’s understand how the Aarogya Setu app works. A user registers in the app by his/her mobile number and self-declared health status. The status is anonymously broadcasted along with the user’s GPS location. A user can choose the radius of the area (like - 500m, 1km, 2kms, 5kms or 10kms) and see how many are affected in that area. The endpoint of the app returns a lot of anonymous information. Unlike majority of the contact tracing apps being used in European countries, Aarogya Setu does contact tracing via GPS rather than Bluetooth data alone.
Screenshot of Aarogya Setu app
Now Alderson was able to modify the location to get information anywhere in India. It has several implications. It is possible to attack the system through triangulation attack in an area where infections are very distributed.
Image Source - A sample triangulation attack targeting the Indian Parliament
Triangulation is a trigonometric method of determining the position of a fixed point from some angles. It is a method of surveying. The same method can be used by the attackers to find out the number of infected people in a particular area with high precision. Not getting my point? Let me be very particular. If I know my Prime Minister’s GPS location, I can confirm the diagnosis of my Prime Minister through triangulation attack. A terribly flawed implementation of contact tracing system has exposed the entire population of possible leakage of sensitive medical information.
India government has denied any such vulnerability in the contact tracing app. NIC, the government agency behind the app, accepted that, "The user can change the latitude/longitude to get the data for multiple locations” but they also said that the GPS spoofing was a feature and not a bug ! Yes, triangulation attack has some limitations but privacy violation scope of the whole Indian population for the sake of public health has been exposed. Similar privacy and security breach issues are being found with contact tracing apps of some other countries also. Apple and Google recently stated they would ban GPS tracking and develop a new contact tracing system. Mark Twain once said, “Loyalty to the nation all the time, loyalty to the government when it deserves it”. We’ve surrendered our loyalty to the government due to the pandemic but it is high time that the government builds apps keeping in mind privacy and security.