On Wednesday, Security Brigade, an Indian information security company, published a now rescinded blog post detailing how it found certain security vulnerabilities in how Aarogya Setu’s code is managed, and informed CERT-In, NIC CERT (which is different from CERT-In) and the Aarogya Setu team about it, but got no response. This prompted the Ministry of Electronics and Information Technology to “widely circulate a statement” denouncing the company that was later retracted, as per a Hindustan Times report. Abhishek Singh, the CEO of MyGov and NeGD, confirmed to MediaNama via email that that press release has been withdrawn and a new one will be issued “soon”.
MediaNama had also cross-posted Security Brigade’s blog yesterday but took it down at the author’s request.
MyGov CEO calls it ‘unprofessional, unethical’, says Security Brigade was given access to code in March
Singh, who has been the face of promoting the app since its launch, told MediaNama that “the initial report that I got last night said that the code and all that they are referring to, is dated March”. He further said, “Actually the whole thing is very, kind of, unprofessional, unethical on behalf of Security Brigade because what NIC, who is heading the initiative of Aarogya Setu, tells me is that Security Brigade was part of the firms which were engaged for doing the security audit through DSCI [Data Security Council of India] before the app was launched in the month of March.” This caused much confusion because when the code of the Android client was open sourced on May 26, at that time, Yash Kadakia, the founder and CTO of Security Brigade, had told MediaNama that his company had been brought in to review the code only one week ahead of the announcement about open sourcing the code and review the code for that purpose (more on that below).
Singh, however, reiterated that the company was brought in as one of the six security agencies by NIC in March to perform a security audit on the app before its launch on April 2. He said that the code was shared with these six companies and that Security Brigade had “misused” that access which is not even lice today. He told us that the development team would issue a detailed response later today and the “entire tech team is looking into the entire thing in great detail to point out the exact line-by-line response” [sic].
As per the blog post, Security Brigade had reached out to “senior members of the NIC, NIC CERT & key stakeholders from the Aarogya Setu team” when they discovered the vulnerabilities in June. Singh denied getting any communication from the company. But he added, “If they have sent any email to anyone in NIC, we are getting that verified.”
We have reached out to NIC, NIC CERT and Kadakia for more information. At Singh’s request, we have also sent him a detailed list of questions to answer in detail.
Aarogya Setu’s development team is very diverse: Singh
During the course of our conversation, Singh also told us that the development of this app was not only a a government effort. “We have acknowledged it right on the day the code was developed that a lot of volunteers from the private sector who were involved in the whole project. Auditors were involved. NASSCOM was involved. Private sector companies were involved. It was a joint effort done at a war footing,” he said. In addition, he listed NIC, NITI Aayog, MEITY, IIT Madras and IISc Bangalore.
What did Security Brigade claim?
On June 23, while analysing data from a gov.in scan, something that the company did “to help CERT-In identify and mitigate key risks, data leaks, compromises, etc. across a wide range of Indian Government asset”, it discovered that one of the developers of Aarogya Setu had accidentally published their private Git folder, with plaintext user name and password for the GitHub account, into the public GIT repository. The company leveraged an existing GitHub API to bypass two-factor authentication to access the code repository on Aarogya Setu GitHub account. Through that, it was able to “download the source code for the Aarogya Setu website, Swaraksha portal, back-end APIs, web-services, internal analytics / correlation code, SQS Handler, OTP Service, etc.”
Security Brigade said that these details were “shared with senior members of the NIC, NIC CERT & key stakeholders from the Aarogya Setu team” but the company received no acknowledgement or response from them. “The issue was silently fixed the next day,” the now rescinded blog said.
The source code that Security Brigade got access to shows how a lot of code and data is hosted on privately-controlled, primarily by GoIbibo, AWS servers. The company also found “several secrets such as encryption tokens, passwords, etc hardcoded within the source-code itself”. Moreover, the company said that the private keys to the Google Firebase, a database storage system, which “seems to be used to store information related to users, including the sensitive DID mapping, user status and other details”, at least at the time of publication of the blog post, were still active “nearly 45 days” after the company had disclosed this vulnerability to the authorities.
Govt claims abuse of access in retracted statement
In the now withdrawn “press release”, MEITY said that “Security Brigade has misused their engagement with Aarogya Setu code review and publication of this article is completely unethical and in violation of the terms of engagement with the Project”. As per the Hindustan Times report, the government retracted its statement on August 12 itself.
“If an auditor identifies a vulnerability, they make a responsible disclosure of the vulnerability to the concerned owner of the app/site,” the statement read and claimed that sharing “snippets and screenshots” of the code was a “complete breach of trust”.
“Aarogya Setu users are assured that no user data has been compromised due to the alleged vulnerabilities and the violations by the concerned firm will be dealt with as per law,” the statement read.
Singh told us via email that a new press release will be released soon.
What does Security Brigade say?
In response to our questions, Yash Kadakia, founder and CTO of Security Brigade, sent us the following statement:
“Aarogya Setu reached out to 6 organizations and shared their Android source code for review prior to their press conference announcing the bug bounty program.
“Of-course, this Android source code was then made publicly available for all on Github and has absolutely nothing to do with the article we have published.
“The code we had discovered and responsibly reported to NIC was related to other internal components which have not yet been made public. These were accidentally exposed due to their security lapses in the Aarogya Setu infrastructure.
“While we have taken all possible measures to retract and censor any possible sensitive data in our article, we have repeatedly asked relevant stake holders on anything they may find to be sensitive but have no received any official response.
“Moreover I’d like to reiterate that the issue was responsibly reported to the NIC team but no response was received from them.”
What is Security Brigade?
Security Brigade is a Mumbai-based, CERT-In empanelled information security consulting firm that was founded in 2006. When Aarogya Setu’s Android client was open sourced on May 26, Kadakia had told MediaNama that the developers of the app had approached the Data Security Council of India to recommend information security firms to look at the app’s code over the week leading up to the open sourcing announcement. Security Brigade was one such firm. “They didn’t engage just one; they engaged five or 6 separate firms to take this up in parallel. The idea was to get as many eyes on it as possible,” Kadakia had then told us.
At that time, Kadakia had said that the app did not require any significant changes apart from minor changes to the algorithm in use. “They had done a fairly decent job anyway to start with,” he had said. “So everyone reviewed the way the DiD [device ID], what is being uploaded, the privacy aspects of it, what encryption is being used,” he had said.
“But looking at the backend is where the real security implications might come in as well from a general security standpoint, but from a privacy standpoint, it’s the app that matters. … that part is already reasonably covered,” Kadakia had said.
At that time, the code for iOS and backend infrastructure had not been shared with the cybersecurity experts, he had told us. The iOS code was expected to be shared with the experts over the coming week, ahead of the iOS source code release, while backend infrastructure code was to be shared a bit later. At the time, Kadakia was appreciative of the government’s move: “I don’t think the government has really open sourced or released a bug bounty like this before.”
This is a developing story and will be updated accordingly.
***Update (August 13, 2020 9:13 pm): Updated with Abhishek Singh’s response about the press release sent out by MEITY on August 12.
***Update (August 13, 2020 6:39 pm): Updated with comments by Abhishek Singh, the CEO of MyGov. Originally published on August 13, 2020 at 3:51 pm.