Aadhaar security flaw can give access to data without OTP: Ethical hacker

Facial recognition for the sole purpose of authentication-where consent is given-should be completely fine, but only as long as it is not used for clandestine surveillance, says Karan Saini

For the second time in the first three months of 2018, the vulnerabilities of the Aadhaar programme–the world’s largest biometric database–were exposed when American business technology website ZDnet reported on March 23, 2018, that the personal data of millions of enrolled Indians could be accessed through unsecure websites and mobile apps of third-party agencies that use the identification system for authenticating transactions.

Aadhaar comprises a unique 12-digit number assigned to Indian residents. As of March 29, 2018, more than 1.2 billion Indians–or 99.7% of the population–have enrolled in the programme. The database, which is fast becoming an integral part of Indian policy, includes fingerprints, iris scans and demographic details of every enrolled individual. From July 1, 2018, the system will also include facial recognition for identity authentication purposes.

One night in mid-February 2018, in 30 minutes, data security expert Karan Saini, who identifies as a “white-hat” hacker (one who improves security by exposing vulnerabilities before malicious hackers or “black-hat” hackers can detect and exploit these), found the vulnerable point in the Aadhaar database through Indane, a commercial distributor of liquefied petroleum gas (LPG), owned by Indian Oil, a public-sector company. Indane, the second-largest marketer of LPG globally, caters to 110 million households across the country.

Fearing prosecution from the government, Saini reached out to a reporter at ZDnet to notify the Unique Identity Authority of India (UIDAI), in-charge of programme, of the security lapse.

Through Indane, not only could Saini gain access to the Aadhaar numbers, demographic data of several Indian residents, but also view details of where these individuals hold bank accounts, and what other services their Aadhaar numbers are linked to. 

Prior to this, on January 3, 2018, The Tribune, a Chandigarh newspaper, alleged in an investigation that unrestricted access to details of over one billion Aadhaar numbers could be purchased for as little as Rs 500.

Since its inception in 2011, Aadhaar has been caught in several debates, especially over privacy issues and information leaks. In the absence of a privacy law, lawyers and activists, who have challenged the Aadhaar Act, which essentially now mandates the enrollment of all citizens, as IndiaSpend reported in March 2017, argue that once the programme is linked to various services it will offer the government too much information too easily about individuals.

The UIDAI has dismissed these fears, maintaining that the central database, guarded by a 13-feet-high and five-feet-thick wall, is safe and insists the programme is a “serious effort to end corruption”. Arguing for the constitutional validity of Aadhaar, the UIDAI has denied Saini’s finding and The Tribune report of security lapses in the system during a Supreme Court (SC) hearing on Tuesday, March 27, 2018.

“There has not been one data leak till date,” Ajay Bhushan Pandey, chief executive officer of UIDAI, told the SC.

In an interview with IndiaSpend, Saini, a freelance information-security professional based in New Delhi, discusses data security and privacy concerns in Aadhaar. Saini, occasionally also participates in “bug bounty programs” that involve identifying and reporting security vulnerabilities to companies. He has worked with Twitter, Uber and the US Department of Defense. 

What prompted you to check the third-party security of Aadhaar data and what exactly did you find?

I started looking into the vulnerabilities of Aadhaar on a whim. On the Apple App Store, I found this mobile application ‘Aadhaar Status’ offered by Indian Oil, which claimed to allow you to check your Aadhaar seeding status with Indane. I started to dig into the app and the API [Application Program Interface] it used to access and retrieve Aadhaar data. I wanted to see if it had any security measures in place, and if so, whether and how they could potentially be bypassed. In a few minutes, I was able to determine that a few key countermeasures could be put in place to access the data for an endpoint as sensitive as this.

I found that by cycling through permutations of possible Aadhaar numbers–rapidly, since there was no limit on that like a Captcha or anything–I could get Aaadhar-linked data of other people, without the need for a one-time-password (OTP). After thoroughly checking that the Indane API was not blocking requests, especially when a large number of them were sent rapidly–I could send 5,000 requests in 5-10 minutes–I concluded that it would be possible for a malicious party with sufficient computing power and time to harvest vast amounts of Aadhaar-linked data in no time.

The app, which was also available on the Google PlayStore, has since been removed and the Indane API has been taken down but there is still evidence of it existing on several other third-party services as can be seen in this Google cache:

 

Link

 

On paper, the intent of Aadhaar is to plug leaks and ensure that benefits reach the right individual, and also provide a one-stop verification process for service providers. In a way, sharing of personal data is inevitable in today’s world–so how do you think the government should negotiate big data and privacy needs?

We have to look at the Aadhaar infrastructure as a whole–it’s not just the government’s database to protect. With banks and third parties using the programme for identity verification, Aadhaar data remains partially compromised because it might be shared with parties who do not take data security issues seriously. We need a more comprehensive system to ensure these vendors–and other companies who have data related to or coming from Aadhaar–follow stringent norms to ensure they cannot use the data without taking the needed steps to protect it. Otherwise, it would be a violation of information that was originally provided to the government in good faith.

Do you think the Aadhaar programme adequately acknowledges the role third parties play in data security?

As of now, I don’t believe that these security issues are being properly addressed and remediated by the people in charge. However, they should be concerned. Right now, in not demanding and enforcing stricter data protection measures, neither the third parties with access to Aadhaar data nor the UIDAI are taking responsibility for significant security issues and concerns. This is highly problematic because the personal information of millions is at stake.

At the Supreme Court on Tuesday, March 27, 2018, UIDAI’s CEO Ajay Bhushan Pandey insisted that except for third parties, the main database itself is well-protected and has not had a single breach yet. What are your findings?

 

 

I agree, the main Aadhaar ‘database’ itself might not compromised. However, through third-party sharing there is potential for the data to become compromised–that should be a primary concern for the UIDAI. If Aadhaar did not exist, verification of identity, while more tedious, would restrict the amount of data a services company could hold about me. So if I sign up for a gas connection, or telephone service, one would not have access to information about which bank I use. In fact, the CEO himself wrote to banks warning them to be more careful with Aadhaar authentication as the nature of data it holds could compromise the security of bank accounts, as The Hindu reported. With the information made publicly available through unsecure third parties, the UIDAI is introducing potential for misuse. One could commit financial fraud or forge another Aadhaar card using its number and demographic details since the card that holds the Aadhaar number does not have any security features of its own–it’s just a card with a number, and in many cases a two-step verification process with OTPs or fingerprints is not in place.

On the process of enrolment for Aadhaar, Pandey told the Supreme Court on Tuesday, March 27, 2018, that there is no question of misuse because a 2048-bit encryption on Aadhaar data has been sent to the Central Identities Data Repository (CIDR). “It will take the whole universe’s strength to break this encryption,” he said. What does your assessment show?

I can’t comment on the CIDR’s susceptibility to misuse since I am not aware of it but again, for argument’s sake, (even if) the UIDAI is encrypting its data to this extent it has not clarified if third parties accessing the data for authentication are also encrypting it similarly. While a 2048-bit encryption is very good, that’s a standard requirement for the kind of data the central Aadhaar database holds. Further, we don’t seem to have clarity on how much of the data is encrypted or how the encryption has been carried out. At this point, it seems to be jargon thrown at the audience.

Not restricted to Aadhaar, privacy breaches and security incidents are occurring more often and are increasingly involving larger amounts of personal data. What do you make of the UIDAI’s response to these incidents?

I started looking at the Indane app in early February, and approached a reporter to take the matter up with Indane and the UIDAI instead of approaching them myself fearing prosecution, given how similar matters have been dealt with in the past.

These last few months have shown that India is getting more serious about privacy and data security, and that citizens want accountability for when incidents such as these take place. Increasingly, since we’re now generating so much more data than we ever have before, people have started becoming more concerned about protecting their data, especially when violations come to light.

The UIDAI’s response, when we approached them a month ahead of the story, notifying them of the vulnerable endpoint, was to do nothing. This could have been either because of lack of interest or because they felt that the problem was not too severe. But with more and more security issues being pointed out, there seems to be a clear need for proper redressal techniques. In this particular case, many publications have inadvertently and inaccurately called this an ‘Aadhaar database breach’. This was not my intent. I found a security lapse which could have allowed for a major chunk of Aadhaar information to be stolen, if someone with that intent wanted to and knew of Indane’s issues.

There are problems with implementation of almost every technology, so understandably there will be errors with Aadhaar to work through as well. But if in the future, those that are responsible continue to deny issues and attempt to shut down conversations with the public, researchers may eventually just stop reporting bugs to them. The issues which are not captured by their internal security teams would simply remain vulnerable to malicious attacks. The government is more likely to succeed in keeping Aadhaar data safe by keeping the channels of communication open.

Distinguishing between the Aadhaar card and a smart card, Pandey said the central database of biometrics plays a key role in ensuring uniqueness and preventing identity theft. Surveillance is not possible with CIDR as silos are not merged but in smart cards, it is still possible by merging databases, he has said. What do you make of the CEO’s arguments on surveillance and identity theft?

 

 

While Aadhaar’s central database might be offline and secured, its online data-stores, which are significantly large too, are still merged with third parties like banks and telecom companies. So surveillance through them could still very much be a possibility.

Facial recognition for the sole purpose of authentication–where consent is given–should be completely fine, but only as long as it is used for just that and not for clandestine surveillance and tracking of individuals. If there are no laws in place to protect our rights and guarantee personal liberties, such as privacy, then our society and our very way of living would be put at risk. To quote Edward Snowden: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” You don’t need to have anything to hide to be opposed to the idea of government surveillance.

It has been argued that privacy is a First World privilege. India is plagued by problems of poverty and deprivation and issues of privacy are ‘elitist’. Do you agree?

This is not just a rich man’s problem; financial fraud through data breaches could affect the lives of anyone– in fact it would impact the middle and working class the most, as it would be harder for them than others to recover from it.

I believe that by bringing these problems to light and discussing our rights as citizens we don’t digress from issues such as poverty and deprivation. The reality is that more Indians, regardless of their socio-economic status, are now connecting to smart phones and banking services — just as the Indian government had planned with its digital inclusion program — so obviously, the scope of those susceptible to security and privacy invasions, is growing too. This can no longer be dismissed as an “elitist” problem.

(Saldanha is an assistant editor with IndiaSpend.)

Reprinted with permission from IndiaSpend.org, a data-driven, public-interest journalism non-profit organisation.