Exposing the IMAGINARY Aarogya Setu security issues raised by Elliot Alderson @fs0c131y
Hello Everyone, I hope you’re safe and healthy. It’s been a while an issue like this has emerged. Also, today we’re not gonna talk about cyber-security on a broader perspective. Probably this would be first time in the history of mankind someone is writing a novel on “out of scope” bug.
This blog is about one of the sensational privacy issues about AarogyaSetu — A mobile contact tracing application that is released by the National Informatics Centre A.K.A NIC which comes under the Ministry of Electronics and Information Technology A.K.A MEITY to fight against COVID-19.
The Aarogya Setu app was designed by MyGovIndia with an objective to collect data on people’s location and cross-refer it with the Indian Council of Medical Research’s database of Covid-19 tests to warn a user if an infected person is in the vicinity.
Elliot is more like the Google search that you do once you feel like you’ve headache, it would always exaggerate and make you feel worried about yourself. Like “Cancer”. But, let’s not forget that he already posted a bunch of “valid bug reports” and responsibly reported too. Which is not his findings but was sent to him by his followers to him so, let’s forget that now. I couldn’t find a better way to introduce my boi. :)
After a month a Twitter user who goes by the handle called “Elliot Alderson” (Robert Baptiste) aka fs0c131y raised an issue stating as follows,
Right after we saw this, we were also shocked about what kind of vulnerabilities he’d have found, because if this particular application puts 90 Million Indians’ privacy at stake, of course, it’s a very big issue of course LeM🅱️iC. So, we were patiently waiting to see what’s he gonna release.
So, the next day — Government of India had released an advisory about the application’s security and privacy concerns that we all had and it goes as follows,
According to this report, it clearly says there’s nothing as such to worry. Right after this tweet, Robert released a (so called) POC which is what made everyone go crazy. So I, Sriram virtualgh0st Kunwar_Atul Sunny Nehra decided to write about this.
After this his ego got burst, he had to write a tweet. *Subtle flex, but ok* coz he’s a “french security researcher”.
Triangulation Part.
Triangulation = working with angles.
Trilateration = working with distances and their spatial correlations.
Mate wtf? Since, GPS doesn’t involve any angles you don’t do triangulation you do Trilateration because, with GPS you already have coordinates mate if you’re talking about finding the patient precisely then you gotta have few points around his location or you need to have access in his cell network or else, you cannot do triangulation as well and GPS by itself isn’t that precise, there’s a lot of factors that plays a role with the precision of GPS. For more details, check https://www.gps.gov/systems/gps/performance/accuracy
Also, In mobile devices we use “AGPS” in case you didn’t learn it in school 😛
PS: Rahul Gandhi was wrong! FFS. 😉
Now the main part, his blog which got viral. Let’s break down this.
After sometime he published this blog, I read it then I decided not to read anything anymore. This gave me a different level enlightenment because of the hypotheses his followers started coming up with.
Privacy Violation part which he mentioned in his blog —
Now, let’s look into the privacy violation part that he was talking about the whole day (That Rahul Gandhi also was right)
Later he exposed his own boi which is a different story you can read via the below link.
After reading the blog there’s nothing as such which violates anyone’s privacy and whatever he mentioned in the blog cannot be even considered as a vulnerability(may be as an informative one). Also, after reading the the privacy policy of Aarogya setu I got to know that they were very clear and they’ve also clearly mentioned it as follows,
All these informations will be stored in a server maintained by Government of India (i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; and (vi) countries visited in the last 30 days. This information stored on the Server will be hashed with a unique digital id (DiD) and you’ll not be getting any of this by going with his findings on this application. When two registered users come within Bluetooth range of each other, their Apps will automatically exchange DiDs and record the time and GPS location at which the contact took place. The location that you’ve been in would be collected every 15 minutes.
For more details, check https://web.swaraksha.gov.in/ncv19/privacy/
After reading all this, now you must have come to a conclusion that his report was nothing but a pure BS. Also, it doesn’t violate anyone’s privacy. So, many security researchers started trolling him.
Because we totally believe in real research not to forget Indian security researchers are number one in bug bounty (Responsible Disclosure) and of-course if this would’ve been a proper vulnerability, of course, we’d have trolled the developers too. Although, coming with an application with 0 bugs is impossible but still how fast you react to it matters.
Also, Google and Apple has also come with Contact Tracing Application
Click here to know more about that.
Comparison of applications we use in Daily life vs Aarogya Setu
Check this link to know more about how Google and Apple working towards this issue. https://www.androidpolice.com/2020/05/07/apple-and-google-are-working-together-to-fight-coronavirus-with-a-new-contact-tracing-tool/
Privacy
Let’s talk about privacy before we get into this, according to Wikipedia it says,
“Internet privacy involves the right or mandate of personal privacy concerning the storing, repurposing, provision to third parties, and displaying information pertaining to oneself via the Internet.[1][2] Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large-scale computer sharing.[3]”
Abhishek Singh, CEO of MyGovIndia, the organization which developed the application, told The Print that the Government of India will use the users’ data only for certain critical purposes such as medical emergencies and that the data will not be used for any other work. “The app will not reveal anyone’s personal details. Information of any Covid-19 patient will not be shared with anyone. The user’s data in the app is completely secure. In the case of normal people, we delete the data from the server after 30 days. In the case of a corona-infected patient, the limit to remove the data is 60 days.”
Let’s look at the technical analysis of his findings.
Now let’s break down the security issues he mentioned in his article and know about the technicalities of it :
1. Access to app internal files
So, first of all, he de-compiled or disassembled the application when it was on version 1.0.1 and opened AndridManifest.xml file where he was able to see an activity called WebViewActivity (This activity uses WebView Framework which is basically used to show a webpage in an android application.) For example this :
Now according to him the WebView was acting weird in this case, here is the code :
public void onPageStarted(WebView webView, String str, Bitmap bitmap) {
boolean z;
if (str.startsWith(“tel:”)) {
WebViewActivity.this.startActivity(new Intent(action : “android.intent.action.DIAL”, Uri.parse(str)));
} else if (!str.startsWith(“http:”) && !str.startsWith(“https:”)) {
} else {
if (!n.b.e(context : WebViewActivity.this)) {
WebViewActivity.this.d(str);
return;
}
In this code, you can see there’s a method named OnPageStarted which is checking the value of a string parameter which should start with (“tel:”) if that string starts with it it will open dialer application on your phone which is obviously a function implemented to call the helpline numbers fed in the app according to your location.
But this is where he says that there is no host validation (which isn’t, OK) So he tried to open an application’s file named FightCorona_prefs.xml from a folder named shared_prefs (Usually shared_prefs contains API keys, credentials, etc. But here in this application’s case, all shared_prefs had was JWT token of the user who helped Robert with his mobile number to register on the application which Robert himself exposed in one of his tweets) Well this indeed is an issue but it is not the proper one the issue he was talking about is called WebView file access attack in which an attacker can use insecure webview to access other files on an android device but here is the twist on android API after android (Kitkat) the application should have the permission to access the file system or read/write permissions on the device in order to read files. But aarogya setu only has permission to access location and Bluetooth on a device so he couldn’t use this to access any other files than application’s files only which makes the impact of the issue minor doesn’t look like what he claimed.
He used this ADB (Android Debugger) command to read that file :
adb shell am start -n nic.goi.aarogyasetu/.views.WebViewActivity -d “file:////data/data/nic.goi.aarogyasetu/shared_prefs/FightCorona_prefs.xml”
And with the same command, he showed that he can open twitter url on a browser in a video he posted on twitter saying that with 1-click an attacker can open app internal files including the local database of the application (Keep in mind that local database can be different for different users it is not the same on each device). Now how is this affecting 90 million people’s privacy we couldn’t understand as looking at the proof of concept what we know is in order to open internal files of the application to steal data of a user of aarogya setu app the attacker has to have access to the device physically (In this case we are talking about 90 million users) that means if we want to open internal files of the application of 90 million users we first need to have their devices in his hands and also the devices of those 90 million users should be rooted in order to run these commands on their devices. Does this even make sense? Please, someone, enlighten us on how this affects the privacy of users of aarogya setu app. We don’t think hacking 90 million android devices is that easy and even if those people get hacked that doesn’t make this application responsible as anything is happening remotely here everything is happening locally (In this case his own device). That’s cute isn’t it?
So, how to exploit this vulnerability? hope the below image clears your doubt.
Let’s Head towards the next one,
Ability to know who is sick anywhere in India
So he moves further and tries to use the application on a rooted android phone but the application throws an error and he couldn’t go further.
So he de-compiles application again and starts to find where the root detection is implemented, and then he writes a Frida script to bypass root detection :
function bypassRootDetection() {
// public static boolean i(Context context)
var CommonUtils = Java.use(‘l.a.a.a.o.b.i’);
CommonUtils.i.overload(‘android.content.Context’).implementation = function (context) {
console.log(“[+] bypassRootDetection”);
return false;
}
}
And then tries to bypass SSL certificate pinning in order to intercept the network’s traffic. after doing that, he starts to use the application and finds the feature which tells users about how many (not specifically an individual) other users in your area took a self-assessment test and what is their status like Infected with COVID-19, or just feeling unwell, etc. When he tested the application we had options to choose radius or we can say distance according to which the application fetches data and shows us (if any). That is the intended function of not just aarogyasetu but any other covid-19 contact tracing application. So what he does now is while using these radius options he capture’s one of the requests on BurpSuite and without actually showing how much data he got in response on the default options he directly jumps towards showing how much he got in 100km radius from the coordinates he had.
In the image above there are 3 things to notice
[1] latitude & longitude : which he mentioned in his article and tweets that these latitude & longitude are of New Delhi but you yourselves open google maps and type these coordinates like this 19.0760 n 72.8777 e it will give you results that these coordinates are of
Lower Parel, Kurla West, Kurla, Mumbai, Maharashtra 400070
Which is around 1415km but leave that’s not our major concern at all.
[2] Distance : Now you would’ve seen that the distance here is requested in 2 different places one at the starting of the request header which looks like GET /ncv19/nearby-stats/dist=100km HTTP 1.1 and another one below latitude is set which looks like distance : 5km.
Elliot claimed to have got data of custom radius (different than options given in app that is : 500m, 1km, 2km, 5km, 10km) but did he really get one.
The request he sent to the server is given above was examined by Sunny Nehra (security researcher who admins Hacks and Security) proved wrong the custom radius claim of Robert in his facebook post. The parameter “distance” is the value for radius which elliot had used as 5km (he did not know properly what parameters are to be tampered to achieve what he wanted). The response he has got is against 5km itself (which is not a custom radius at all).
All other responses he posted in the blog are for 500m which are again not custom. Note that aarogya Setu had cleared to elliot that “distance” parameter is for radius as shown in below pic
but Robert still did not get what they meant (basically that clearly says when distance value is 5km you will get 5km radius response).
When @sunnynehrabro and others tweeted the same to him this is where elliot seemed to have understood that how wrong he was. Now in his curl script he very cleverly changed both parameter “distance” to .1km as shown in pic below
One should note that he did not even post the response he got for his 1km request. Why would he? He did not even know what parameter stands for “radius” not even till he wrote this medium blog.
Also another thing to add that just by knowing how much patients are near you doesn’t makes it a privacy issue you didn’t get any specific person’s name, mobile number or anything the application is just showing how many infected or not infected people are near you according to your current location. So this is our request to all the Indian people from commerce, arts and some even from science backgrounds who are also a follower of Mr. Robert Baptiste just because he is a hacker and that too foreigner and fits best with your political ideology(you think) if you do not understand or don’t know about anything stop believing anyone just because he says he is a hacker and is a foreigner to be precise. And if you still believe that this particular application is a surveillance application then you and your g0d hexorman don’t even know what surveillance is so research and learn before blindly spitting hate for anyone just because the one you believe is doing.
Well, of course he deploys rule based bots to do basic recursive blocking of anyone who tries to critique/correct him, and of course he brags about the “automation”, sound like a true heX0rman! 😗
We tried telling this to @fs0c131y and these are few who got blocked by him, later he limited his tweets, turned off responses too xD. My comrade, you shouldn’t be doing it, if you’re fighting for the truth. You fight for the truth with truth not with hype my friend :)
Same thing with Aadhaar
Read these blogs by “Swaroop Yermalkar” A Security Researcher from India who exposed his Propaganda Against mAadhaar Security
Part 1. https://blog.swaroopsy.com/2020/05/07/part-1-truth-behind-propaganda-against-maadhaar-security/amp/
Also a blog by Hungrysoul https://medium.com/@hungry.soul/the-story-of-misleading-thousands-of-indians-by-claiming-arogya-setu-has-been-hacked-fe4f6e9c39ad
And a blog by AppKnox — An Indian company known for mobile application security :
https://www.appknox.com/blog/is-the-aarogya-setu-app-safe-to-use
Sunny Nehra also, wrote a detailed report about this issue,
(He’s very good at exaggerating stuff, same happened with Aadhar issue, where R.S Sharma asked him to extract his information out of “Aadhar Database” rather Elliot did OSINT and gave him details and most of the media started praising him stating that “Aadhar got hacked” “RS Sharma got hacked” etc.
Solution?
Everybody’s talking about the problems. Is there any solution to let your neighbours know that you got corona without using Bluetooth, Internet, GPS? Yes. there is! But, you gotta set this up in your terrace ❤
Our Request to the Indian Media/Press: Please do your own research before printing/broadcasting out such cheap political propaganda post mixtured with disinformation and false claims from Elliot Alderson or umpteen others. All of the Indian Media/News Outlets should have someone from cyber-security background to do a thorough technical investigation in such thick claims by any random movie character masquerading as a security expert in a politically coloured twitter account, so that from next time we don’t have to come forward from the Indian Information Security Community and do such investigative posts. Dear Indian Media, its your job — do it better, don’t give free attention to these tall stories every again!
