Robert Baptiste, a French cybersecurity analyst who goes by the pseudonym ‘Elliot Alderson’ on Twitter, on Wednesday, stated he could access details of Corona-infected persons through the government-mandated Aarogya Setu app.
A remote attacker could know “who is infected, unwell, make a self-assessment in the area of his (attacker’s) choice,” Baptiste wrote on Twitter.
Even with the most advanced version of the Covid-19 contact tracing app, Baptiste stated he was capable of seeing “if someone was sick at the PMO office or the Indian Parliament.” The makers of Aarogya Setu had circulated a statement in response to dismissing Baptiste’s earlier claims.
Baptiste claimed that he could access details of positive cases at the location of his decision. He did not give any proof in this regard; he promised a full article about the alleged security flaws.
An earlier statement published by the makers of the app announced a user could get data for different places by changing the latitude/longitude, which is anyway available data. The makers, however, insisted that the bulk collection of this data was not probable as “the API call is behind a Web Application Firewall.” The official report released by Aarogya Setu said, “no personal data of any user has been confirmed to be at risk by the French ethical hacker.”
There has been a significant debate on the use of contact tracing apps by governments, Eivor Oborn, Professor of Healthcare Management at Warwick Business School, UK, told India Today. “I think a real breach is made if the professionals are forced to use the app, and they are not permitted to discontinue the monitoring after the threshold of the pandemic is over; this to me is a bigger concern.”
He continued that in a democratic country like India, citizens should have clarity regarding what, when, and how the data is being used. “I think it is good for the governments concerned to show profits that accrue from data use tangibly,” Prof Oborn stressed. Independent specialists and privacy rights groups have been advocating that the source code of the contact tracing app should be made public.
“India is the only democracy which has made the use of contact tracing app necessary, so steps should be taken to make the codebase of the app open source, and users should be provided with the option to delete their data, even from the servers,” Prasanth Sugathan, legal director of Software Freedom Law Center, said India Today.
The government’s chief scientific advisor, Prof K VijayRaghavan, has said India Today that the source code of the app would be made public very soon. French ethical hacker Baptiste has been in the news for consistently pointing out security defects with India’s Aadhaar system. Source India Today.