As countries around the world rush to build smartphone apps that can help track the spread of Covid-19, privacy advocates have cautioned that those systems could, if implemented badly, result in a dangerous mix of health data and digital surveillance. India’s new contact-tracing app may serve as a lesson in those privacy pitfalls: Security researchers say it could reveal the location of Covid-19 patients not only to government authorities, but to any hacker clever enough to exploit its flaws.
Independent security researcher Baptiste Robert published a blog post today sounding that warning about India’s Health Bridge app, or Aarogya Setu, created by the government’s National Informatics Centre. Robert found that one feature of the app, designed to let users check if there are infected people nearby, instead allows users to spoof their GPS location and learn how many people reported themselves as infected within any 500-meter-radius. In areas that have relatively sparse reports of infections, Robert says hackers could even use a so-called triangulation attack to confirm the diagnosis of someone they suspect to be positive.
The developers of this app didn’t think that someone malicious would be able to intercept its requests and modify them to get information on a specific area, says Robert, a French researcher known in part for finding security vulnerabilities in the Indian national ID system known as Aadhaar. With triangulation, you can very closely see who is sick and who is not sick. They honestly didn’t consider this use of the app.
Security researchers like Robert have focused their attention on Aarogya Setu in part due to its sheer scale. The Indian government has declared the contact-tracing app mandatory for many workers and it’s already been downloaded more than 90 million times according to government officials.