India has not had the best record when it comes to contact tracing tools, as was made evident by the Aarogya Setu fiasco. However, it looks like another tool from the state government of Uttar Pradesh might just have taken the crown for the most unsecure contact tracing tool in the country. According to a report published by cyber security research firm vpnMentor and reviewed by The Tech Portal, the firm has identified a slew of obvious vulnerabilities in the app.
The tool, dubbed “Surveillance Platform Uttar Pradesh Covid-19,” and built by the state government of Uttar Pradesh, has been launched with the goal of tracking and tracing coronavirus patients. However, it looks like it has brought on more problems than it solved, as vpnMentor found vulnerabilities within the platform which left it easily exposed to malicious hacking and attack, which could have devastated Uttar Pradesh’s response to the Coronavirus pandemic.
Broadly, the organization recognized three main vulnerabilities in the platform. First, it found an unsecured git repository revealing technical information, including passwords to admin accounts on the platform and a SQL data dump. Now, this had made the platform’s admin dashboard accessible to anyone with the passwords taken from the git repository. Lastly, a separate index of CSV files containing daily COVID-19 patient reports – accessible without a password or any other login credentials was also found.
The git repository would have allowed anyone with knowledge of the platform’s URL and access to the git repository to gain complete access to its admin dashboard. These admin controls would have in turn allowed attackers to take over the controlbase and make modifications like Modifying entries, Closing case files, Altering patients’ data, Modifying test results, Sending healthy people to quarantine, Removing patients from quarantine early, Switching negative test result to positive, and vice versa, and more.
Moreover, the CSV files contained numerous forms of Personally Identifiable Information (PII) data for every individual tested for COVID-19 in Uttar Pradesh, including: Full names, Ages, Genders, Residence addresses, Phone numbers etc.
What’s worse is that vpnMentor had contacted the Israeli embassy in India on 10th August to get the breaches secured, but there was no response. It wasn’t until 10th September that vulnerabilities were fixed, that too after the website contacted CERT-In numerous times without any feedback.