Techie hacks into Covid-19 contact-tracing app over personal privacy concerns, highlights massive security flaws
As coronavirus cases across the world began to spiral out of control, countries rushed to develop apps that could assist in tracking the number of infections. However, privacy advocates have issued warnings that this new system of tracing Covid-19 cases across the nation could result in mishaps concerning a person's privacy and health data through digital monitoring if implemented poorly.
India's new contact-tracing app, Aarogya Setu, has reportedly violated privacy benchmarks. Days after the application was released to the general public in early April, it had been installed by nearly 100 million Indians, according to the nation's IT Ministry on about a fifth of the smartphones. Security analysts from around the world have said time and again that the application could reveal the location of a Covid-19 patient, not only to government officials but to any software hacker that is clever enough to navigate his way through it. Furthermore, they said without a privacy law in place, the app can be used as a tool for public surveillance even after the pandemic subsides because it has prolonged access to the Bluetooth and location data on the person's smartphone.
At first, many people felt it mandatory to install Aarogya Setu, despite the fear surrounding its privacy policies. In April, the prominent food-delivery apps made it compulsory for workers to install the app. Last week, the police in Noida, a city located on the outskirts of Indian capital New Delhi, ordered residents to install the app or face jail-time as a consequence of not doing so. This, in turn, fuelled federal mandates that called for governments and private employees to download the app. It seems like henceforth, Indians may need the app if they want to board trains, flights or other public transport and to work for food delivery companies or visit a pharmacy.
So a software engineer hailing from Bangalore, India's tech hub, who was worried about his privacy and didn't want to be forced into installing the app, simply hacked into it. According to Buzzfeed India, the software engineer (he requested that his identity be kept anonymous) hacked into the app's code to circumvent the registration page where people were asked to use their cellphone numbers in order to sign up.
With a little more effort, he broke through the page that requested personal information like name, age, gender, travel history and Covid-19 symptoms for registrations and cleaved through the inquisitive permissions that requested for Bluetooth and GPS access at all times. It was a four-hour endeavor, after which the app had become a shell of what it had been with no means to collect data, but still flashed the green badge that said the user is a low-risk factor.
“I didn’t like the fact that installing this app is slowly becoming mandatory in India,” the hacker said to Buzzfeed India. “So I kept thinking of what I could personally do to avoid putting it on my phone.”
“I’m rebelling against the mandatory nature of this app,” he added. “I don’t want to share my location 24/7 with the government.” He compared the Indian contact-tracing app to the one that Google and Apple were collaborating on, stressing on the point that the two software giants did not plan on storing personal information on consolidated servers. “If I was coding this app, I would have chosen to keep data points to a minimum,” he told the media outlet. “If I have your location information for a month, I can gauge a lot of things about your life.”
On May 6, Robert Baptiste, a French ethical hacker who goes by the name Elliot Alderson on Twitter, revealed that Aarogya Setu had security flaws to a serious degree via an article he wrote on the same. Following his revelation, the Indian government through the app's official handle tweeted a statement, where it denied the flaws being red flags and termed them "amateurish hacks".
However, it is crucial to note that the Indian government doesn't exactly have a great track record when it comes to privacy in its systems. The most convenient example would be when the government introduced a new biometric identification system called the Aadhar, a decade ago. It stored the fingerprints and retina scans of 1.3 billion citizens in a single database. Starting out as voluntary and then becoming mandatory to the point that you would require an Aadhar to buy a new sim card or file your taxes. That system too was flawed because it made the personal details like bank account numbers and addresses of all these citizens vulnerable to hackers finding it.
In 2018, a controversy revolving around the Aadhar's security proved that it had severe flaws. RS Sharma, the chairman of the telecom regulatory authority of India, dared hackers to prove these flaws and released his own Aadhar number one public domain. Hackers expeditiously deposited 1 rupee into his bank account using his information, evidently attesting for these flaws.
“My concern is that just like with Aadhaar, soon you won’t be able to go to a restaurant or a movie theater without the Aarogya Setu app installed,” said the hacker to Buzzfeed India. “Even if the government doesn’t make it mandatory, cinema owners are going to impose it on you. That’s the kind of culture we have.”
In a move to placate these privacy concerns, the Indian government on May 11, issued a set of regulations giving insight into how the app collected and used data. Among other rules, it said that the data collected through the app will remain confidential and will only be used for Covid-19-related or research purposes, though, the details still remain unclear. Furthermore, the government is working on introducing new features to that app accompanying contact tracing such as telemedicine and e-passes that states can issue to people to move about freely when the national lockdown is lifted.