Coronavirus Outbreak: Aarogya Setu team says ‘no user data at risk’ after French hacker raises concerns over ‘security of 90 million Indians’

The official handle of the Aarogya Setu contact-tracing app, developed by the National Informatics Centre (NIC), under the Ministry of Electronics and Information Technology, asserted late on Tuesday that “no personal information of any user has been proven to be at risk”.

The reply from the team came in response to a tweet by Elliot Alderson, a French security researcher, earlier in the day, who claimed: “Hi Aarogya Setu, A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private? Regards. PS: Rahul Gandhi was right.”

Rahul Gandhi on 2 May had called the app a “sophisticated surveillance system” and said it raised “serious data security and privacy concerns”, via Twitter. On the same day, Alderson sent out a tweet saying, “Rahul Gandhi tweeted about the Arogya app. I guess I’m forced to look at it now.”

The French hacker then confirmed that both the Indian Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC) got in touch with him 49 minutes after his initial tweet, pointing out the security issue.

Following this, late Tuesday night, the Twitter handle of Aarogya Setu put out an official statement which said that they were alerted “by an ethical hacker of a potential security issue in the app”, which they discussed with him, but “no personal information of any user has been proven to be at risk” by the hacker.

The statement said the Alderson had pointed out two issues — “the app fetches user location on a few occasions”, and a “user can get the COVID-19 stats displayed on the home screen by changing the radius and latitude-longitude using a script.”

The app’s team clarified that the fetching of a user’s location is “by design”, and it is “stored on the server in a secure, encrypted and anonymised manner.”

Regarding the second issue, the team said the radius parameters on the app “are fixed and can only take one of the five values: 500 m, 1 km, 2 km, 5 km, and 10 km.” It added that the information does not “compromise on any personal or sensitive data”.

Alderson responded to the tweet last night, saying: “Basically, you said “nothing to see here” We will see. I will come back to you tomorrow.”

Read the Rest at FIRSTPOST

Leave a Reply

Your email address will not be published. Required fields are marked *