Data of millions of Indians, collected through the Aarogya Setu app, could be vulnerable to threats from adversarial state and non-state actors and pose a national security challenge, according to cybersecurity experts and former intelligence officials. This, they believe, is due to issues in India’s security capabilities and cyber hygiene practices.
Indian government officials reject these concerns, saying their encryption standards have adequate protection against data or network breaches.
This difference of opinion is at the heart of a controversy surrounding tracing apps that store sensitive personal data to aid in the fight against the coronavirus disease (Covid-19) — with one side saying that the potential risks are either non-existent or a small compromise; and the other arguing that the information is far more valuable and dangerous than governments comprehend, not just from a privacy perspective but also on the security front.
Aarogya Setu is meant to trace close contact between people so that they can be reached in the event any of them is infected with Covid-19. According to government officials, at least 110 million people have signed up on it, and while a rule making it mandatory for office-goers to install it was partially relaxed last week, on Wednesday the government said air passengers must install it if they are taking a flight.
“National databases in general are a huge cause of concern. Sometimes, leaks don’t even appear on the dark web. They are simply scooped away for doing passive profiling of citizens of adversarial countries,” said Pukhraj Singh, a cyber threat intelligence expert, who was involved in the detection of the breach at the Kudankulam Nuclear Power Plant last year.
The concerns expressed by Singh were endorsed by two former intelligence officers who have held senior positions in the National Intelligence Grid (Natgrid) and the National Technical Research Organisation (NTRO) – two of India’s main agencies tasked with digital intelligence gathering.
The threat is particularly serious due to the nature of information involved, one of the former intelligence officers cited above said. He added that users part with information that can directly identify them, where they have been, and what health conditions they suffer from, making it a target for common cyber criminals who can offer these up on the dark web for a price, as well as state-backed hackers for espionage.
Government officials again rejected these concerns, saying that their data encryption standards have adequate protection against breaches.
A VERITABLE GOLD MINE
Since its launch in early April, Aarogya Setu has had at least 106 million sign-ups, according to government officials. The process requires users to declare their mobile numbers, name, gender, age, and whether they belong to a set of high-risk professions, such as law enforcement or health care.
The application then routinely asks people to “self-assess” their health by answering questions such as whether they have any of the symptoms associated with Covid-19 or if they have a history of diabetes, hypertension or obesity – factors that make people more susceptible to the disease.
The second retired intelligence official described three scenarios in which such breaches can be dangerous. “The first risk comes from any hacker who wants to profit from the data. For instance, someone can leak the data about the number of people who identified as diabetics and sell it to a company making insulin for targeted ads, or to an insurance company to deny claims.”
He said that the second is what the government itself can do. “Unfortunately, no matter what legal protocols you put in place, the sovereign can always find ways to use this data for purposes that they were not meant for.”
But it is the third use which potentially is the most hazardous, he said. “The third, and the highest risk, is from geopolitical adversaries who can use this data for a wide variety of reasons. They can misuse it to identify and target particular citizens, such as a bureaucrat or a politician, or they can simply scare people into not trusting their government with any data”, this person said, asking not to be named.
“Most state-initiated hacks are not even known to the public. What you hear about normally are amateurish attempts. The really sophisticated ones have been very hard to detect,” this person added.
Cyber criminals are known to use such data to determine multiple point of information about an individual, which can then be used to bypass identity checks for crimes such as bank account theft.
IMPENETRABLE MYTH
Fundamentally, data breaches can happen in two ways. The most common method is deceiving someone into divulging sensitive information or giving a hacker privileged access – a tactic commonly known as a phishing attack. Such tactics have been used in the past by hackers to obtain back-door access – by fooling, for instance, an IT management staff – to sensitive networks used by banks or government offices.
The other is code-based attacks on computer networks, which usually make use of flaws in software, or what are known as exploits. In some of the most sophisticated attacks, the exploit is done through a zero-day vulnerability – a backdoor that only the attacker knows about.
Both these methods have proven to work – often in combination – to compromise the more secure of systems. Zero-day hacks have been carried out by state-linked hackers and is a risk that cannot be ruled out, the second intelligence agency veteran quoted above said.
Till now, officials have not detected such an attempt on health data in India. “The data is fully secure; our encryption and data storage policies will ensure that there is no breach. Sensitive data of our citizens is kept in a manner where there is no unauthorised access to the data,” said Abhishek Singh, CEO of MyGov, one of the government agencies involved in the Aarogya Setu project.
RISE OF FAKE APPs
There is a third risk factor associated with the Aarogya Setu push – modified or impostor applications that look like Aarogya Setu but are spying tools. These have been spread using the same techniques as phishing, often through messaging applications or via links sent over WhatsApp. While this might not expose the entire database, it could compromise individuals who are successfully targeted.
The Union home ministry issued a warning in late April — the same month Aarogya Setu was launched — about such fake apps being sent to Indian soldiers and paramilitary personnel through WhatsApp, media reports said last month.
“In the current version of the app, there is no protection against an internal modification. So, it’s quite easy to create a modified version of the app. Of course, a modified version of Aarogya Setu can become viral. Especially now, (since) Aarogya Setu is a big topic in India,” said Baptiste Robert, a France-based cyber security researcher who is more commonly known by his nom de guerre Elliot Alderson.
Robert first found flaws in an earlier version of the Indian app that allowed access to internal programme files, which could lead to an attacker accessing the data the Aarogya Setu collects.
“The distribution of a modified app creates new threats. Depending on the modifications done, it can either kill the purpose (of Aarogya Setu) and remove the tracing functionality, (or) it can be used by attackers. By adding malicious code, they can infect victim’s phones and steal their personal info,” Robert added.
On May 14, researcher at anti-malware product developer ESET shared screenshots showing one such impostor application with the same logo and name as the real Aarogya Setu, but was actually spyware. “It’s SpyNote – RAT (remote access trojan) tool. It’s not created by IN govt… [Spynote can] log user keystrokes, steal SMS, wipe device, steal contact list, take camera pics, record audio, install additional apps, reset device PIN and make calls,” wrote Lukas Stefanko,
MyGov’s Singh said impostor applications were being spread and people were being asked to download it, “which is not right”. “These imposter apps cannot come on PlayStore and we have ensured that. People usually download top-rated apps from PlayStore and the Aarogya Setu is highly rated,” said Singh.
SECURITY IMPLICATIONS
Researcher Pukhraj Singh recounted several of the past hacks (see box) that extracted government personnel data, medical records and banking information. “It has hugely upset American intelligence collection programs, especially the ones relying on HUMINT (human intelligence). Maintaining intelligence cover has become close to impossible now,” he said.
“The problem is that we see databases in isolation. (But) they are like lobes to a nervous system. The more databases adversaries have access to, the more they are able to control the system,” Singh said, adding that India needs to “undertake a kind of cost-benefit assessment and a whole-of-government posture review to know what we are really doing with the data that is being collected”.
The second of the two former intelligence official quoted above concurred with the position. “Every country will have a certain capability to manage its database. Unfortunately, in the Indian administration, networks and systems are managed by L-1 contractors, or a service provider who offered the lowest prices. This creates a lot of inefficiency,” he said, adding that the issue has persisted for decades.
The second former intelligence official added: “We must build up an ecosystem based on very strong encryption, for both data security as well as network security. Protection of such databases depend on the capabilities in this fields. Unless you have very strong encryption frameworks made domestically, you will keep having all kinds of vulnerabilities.”
The other significant issue is cyber hygiene. In the past month, Robert brought to light open databases with details of citizens meant to be under home quarantine in three states: Gujarat, Madhya Pradesh and Karnataka. The databases contained locations of these individuals and their names in some cases. All of these were removed after the French researcher tweeted about.
The second former intelligence official said stronger efforts for data minimisation and anonymisation can be made in the interim.
Data minimisation refers to the principle of collecting only the basic information required for a tool’s purpose. In Aarogya Setu’s case, privacy activists say the collection of location records, profession details and granular demographic data does not follow this principle.
