A GIS expert has warned that India’s COVID tracking application, Aarogya Setu, maybe leaking locations of military camps and could be used by enemies for surveillance to track troop movements in sensitive areas like Pangong Tso in Ladakh.
Aarogya Setu leaks location of Military Camps
Sensitive information about the deployment of troops and their movement in military bases or spy outposts along the border with China may have been compromised by India’s COVID-19 tracker mobile application Aarogya Setu.
Aarogya Setu is designed by the government to collect one’s location data and cross reference it with the state-owned Indian Council of Medical Research’s database of COVID-19 tests to alert a user if an infected person is in close proximity.
“Through the app, one can see if a soldier using Arogya Setu is in a particular camp, or if he is going out to another camp or is being relocated or something like that. By constant measuring, you can see how many people have moved out of the camp and how many are within the camp at that time,” Raj Bhagat Palanichamy, an independent geographic information system (GIS)/remote sensing expert told Sputnik.
Alerting authorities, Raj shared an example of how Arogya Setu can be used to roughly detect numbers of people using the app (which may coincide with a number of troops) in sensitive areas like Pangong Tso where troops of India and China have been engaged in a bitter conflict since April this year.
Negative way: If we use a simple fake GPS application, then we can get number of Aarogya Setu users in and around militarily camps in sensitive areas like Pangong Tso
(numbers and locations slightly adjusted) pic.twitter.com/2CGjSEPWnL— Raj Bhagat P #Mapper4Life (@rajbhagatt) September 6, 2020
“With a fake GPS application, you can shift your location to any place. You can simply enter Wagah Border, Pangong Tso, Galwan Valley anything. It is not a big deal. And then you can just open Arogya Setu application and it will show how many common people (COVID-affected) are there, etc.,” Raj said, adding that Chinese agents may not get the exact numbers of troops at a particular location, but “they will know whether people are moving and they are moving at what direction, what timings, etc.”
“If you are talking about the place where there is only military base, then there is no amount of technical expertise or hacking that is required. But, if you want to figure out which specific building etc., you have to do a little bit of math,” Raj Bhagat told Sputnik.
The Indian Army, while issuing an advisory in April this year, asked troops to install the Arogya Setu app and switch on location services and bluetooth while visiting public places, at Isolation Centres, when calling for COVID-19-related assistance by civil authorities and while moving out of cantonments or military stations. Army personnel had been cautioned in April not to disclose their service identity, including rank, appointment and contact list of users, while using such apps.
What is Indian Army’s view on Aarogya Setu?
According to a senior Army official the Aarogya Setu application could be used to track the location of troops and that troops deployed for forward posts should not use mobile phones at all.
“We have taken care that troops deployed for forward posts should not use mobile phones. They are communicating through military communication devices. So, their movement or location will not be revealed to the adversaries through Aarogya Setu app,” a major general of the Indian Army told Sputnik on Monday.
The Indian Army official admitted, however, that movement from peace stations, and locations other than forward posts may be tracked. “Our troops patrolling in sensitive areas are not using mobile phones,” the official claimed.
Aarogya Setu source code compromised
On 12 August, a Mumbai-based cybersecurity company published a detailed blog explaining how it discovered the source-code for the complete Aarogya Setu platform including its back-end infrastructure exposed on the public internet.
The blog stated that with the access credentials left open, the company was “able to download the source code for the Aarogya Setu website, Swaraksha portal, back-end APIs, web-services, internal analytics.”
The matter was referred to Indian Computer Emergency Response Team which quietly plugged the gap.
They didn’t even answer to the company who found the issues. This is highly unprofessional @IndianCERT
— Elliot Alderson (@fs0c131y) August 12, 2020
The government then threatened Shadow Map with legal action for its blog detailing Aarogya Setu’s security risks.
While there has been considerable focus on Aarogya Setu, several state governments have launched their own COVID-19 Apps. A security survey of these apps by The Centre for Internet and Society (CIS) found that most of these apps don’t have a Privacy policy specific to them, and some have none at all.
GreatGameIndia is a journal on Geopolitics and International Relations. Get to know the Geopolitical threats India is facing in our exclusive book India in Cognitive Dissonance. Past magazine issues can be accessed from the Archives section.
