French Hacker Claims Bug In Aarogya Setu App Allows Him To Know Who Is COVID-19 Positive Even in PMO, Army HQ

As millions remain inside their homes in India due to the fears of the novel coronavirus and physical contact tracing becomes a daunting task, the Indian Government launched the COVID-19 contact tracing app, Aarogya Setu, on April 2 which enables the citizens to track potential coronavirus carriers nearby and alert the authorities in case a person tests positive.

The app has come under heavy fire for the last few days due to privacy concerns and Govt’s challenges have proliferated after a notable ethical hacker, Robert Baptiste, who goes by the pseudonym Elliot Alderson on Twitter has unveiled vulnerabilities in the app which could infringe upon a user’s privacy. 

In a blog post written on Medium, Robert who grabbed eyeballs in India for his Aadhar expose claims that due to a feature of the app he was able to identify the people infected by COVID-19 inside the PMO, Parliament, and even inside the Indian Army Headquarters.

I wrote an article to describe the issues I reported to the @SetuAarogya. I hope it will allow people to understand the situation and why it's an important issue. I hope you like it, all feedbacks are welcome!

And don't forget: Hack the planet!  https://t.co/ealAKdCZ34 https://t.co/QWm0XVgi3B

— Elliot Alderson (@fs0c131y) May 6, 2020

In a slew of recommendations, he asked the GoI to make the source code of the app open-source, a demand reiterated by many privacy advocates throughout the country. Singapore, Israel, Iceland are a handful of countries that have made their contact tracing app’s source code open for the public view, making it easier for security experts to scrutinise the app and find bugs. 

“No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified,” the Aarogya Setu team said in its response on May 6.

Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom

— Aarogya Setu (@SetuAarogya) May 5, 2020

Another startling part of the app’s terms and conditions states that the user “agrees and acknowledges that the Government of India will not be liable for…any unauthorized access to your information or modification thereof,” which goes against the provisions of the IT Act and the proposed Personal Data Protection Bill, experts point out. 

Downloaded by 90 million Indians after the Government made it mandatory for all the central employees, the app was launched as a voluntary measure but is now almost mandatory after private companies and several state governments have been directed to make sure their employees install the app. In Noida, authorities went further and made it punishable for six months in jail and a fine of up to Rs 1000 for those venturing out without the app.

Many specialists say there is an immediate need to scrutinise the app as later the plethora of health and private data of millions of Indian citizens collected could be left exposed on the internet if robust safeguard measures are not put in place at the right time.