E

lliot Alderson recently claimed in medium.com that he/she (we will call 'he' hereafter, as hackers do not reveal) cracked Aarogya Setu app of India. By doing this, he in fact vouched that the app is safe and secure.

He claimed that "Ability to know who is sick anywhere in India". This is utterly false.

His words in medium.com post is give below.

--> starts here

In the app, you have the ability to know how many people did a self assessment in your area. You can choose the radius of the area. It can be 500m, 1km, 2kms, 5kms or 10kms. When the user is clicking on one of the distance:
- his location is sent: see the lat and lon parameters in the header
- the radius choosen is sent: see the dist parameter in the url and the distance parameter in the header

Because I’m stupid, the 1st thing I tried was to modify the location to see if I was able to get information anywhere in India. The 2nd thing was to modify the radius to 100kms to see if I was able to get info with a radius which is not available in the app. As you can see in the previous screenshot, I set my location to New Delhi and set the radius to 100kms and it worked! What are the consequences?
Thanks to this endpoint an attacker can know who is infected anywhere in India, in the area of his choice. I can know if my neighboor is sick for example. Sounds like a privacy issue for me…

--> ends here

Look at the above carefully. There is a BIG DIFFERENCE between knowing WHO and HOW MANY! Aarogya Setu never tells WHO gets infected. It tells only HOW MANY infected in the area chosen.
Take UBER or OLA. It tells HOW MANY CABS are near you.

A cumulative number over a village or place or district or state is already disclosed in many sites and Government sites, as no one can infer private details from that cumulative number. So, ELLIOT IS WRONG.

The next thing he did is that he mentioned this text in his tweet. PS: @RahulGandhi was right.

This puts Rahul Gandhi in a spot. Since the content claimed by Elliot is factually has no base on security violation, the onus is on Rahul Gandhi to chase Elliot and say that Elliot is wrong. Rahul now has a moral responsibility to bat for India. It is none of Elliot's business to pull Rahul Gandhi on this thing. Elliot did this just to seek attention - a typical syndrome you can see in any child.

Government of India has already given explanation on this. Here is the text.

Full text of Elliot's claim: https://medium.com/@fs0c131y/aarogya-setu-the-story-of-a-failure-3a190a18e34

Posted 
May 7, 2020
 in 
Tech
 category

Nagoji Nagarajan

View Posts
Post Tags:
Technology
Research
Security

More from 

Tech

 category

View All
UPI Reaches 2.23 billion transactions in Dec 2020
3
 min read
Digital India Awards 2020
5
 min read
DRDO unveils advanced hypersonic wind tunnel facility
2
 min read
Elliot Alderson must be praised as he proved that Aarogya Setu is reliable
4
 min read

Join Our Newsletter and Get the Latest
Posts to Your Inbox

No spam ever. Read our Privacy Policy
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.