Aadhaar got pwned. Why isn’t the Indian government taking Aadhaar’s exposed security flaws seriously?
By Siddharthya Roy
March 06, 2018
On February 25, Baptiste Robert, an Android developer and security enthusiast, tweeted to the government of India saying he’d found a way to hack into the portal of the Telangana State Postal Service (TSPost). He’d done a routine SQL injection attack and the portal had responded by spitting out the financial and demographic information of thousands of Indians.
The data about welfare benefits, deposits, and loans had all been tied to identifiable names and addresses using their Aadhaar numbers.
Weeks earlier, Baptiste had first reached out the Indian government alerting them that he’d detected a flaw and could help them patch it. But no one responded. Baptiste decided to go public with his hack. Tweeting from his handle, Elliot Anderson (@fs0c131y), he posted screenshots of both the attack and the data he’d laid his hands on.
It was only after the news had reached the front pages of leading Indian dailies and began circulating on the web that the administrators of the portal came out with a statement.
They said the portal hadn’t been used since 2014 and therefore the hack meant nothing.
When it was pointed out that the transactions records showed a timestamp of August 1, 2017, the website was simply taken offline and no explanation was offered.
A Brief History of Aadhaar
Modeled after the American Social Security Number (SSN), the Aadhaar is a 12-digit unique identification number given to Indian citizens. The difference between the SSN and Aadhaar is the use of biometric data (fingerprints and iris scans) for verifying identity.
Owing to the huge population of the country and very disjointed and often corrupt bureaucracy and law enforcement, Indians never had any one standardized proof of identity or citizenship. Nor was there any standard protocol of seeding the process of identification that would lead to the issuance of such a document. This in turn led to an abundance of forged identity documents.
The call for a verifiable registry of citizens got traction in the aftermath of the India-Pakistan Kargil War of 1999. It was reported that enemy combatants and informants had crossed the borders into India to create sleeper cells. The infiltrators had been living like regular Indian citizens with forged documents.
These findings promoted a call for a registry of Indian nationals. The National Population Register (NPR) was conceptualized soon after, but has largely remained on paper.
Around 2008, a clutch of little known private interests began actively lobbying to take the task of registry building out of the hands of the government and turning it over to a consortium of software companies led by Indian IT czar turned member of parliament, Nandan Nilekani.
The project proposed to use biometrics as the seed of identification. The claim made was that biometric prints were foolproof in their uniqueness and therefore an unassailable and irreproducible proof of identity.
The consequences that a database of this sort would have on civil liberties wasn’t lost to the polity. The Aadhaar project faced pushback from political activists and members of civil society, who called it the first step toward building a police state. The project’s initial political backer, the centrist Indian National Congress, found itself pitted against both the right-wing Bharatiya Janata Party (BJP) and the Communist-led Left Front and failed the scrutiny of an expert committee set up by the Parliament of India.
Moreover, through multiple judgements and hearings, the Supreme Court of India expressed grave concerns about Aadhaar and sought to limit its use.
The Aadhaar lobby dodged all hurdles by continually exploiting legal loopholes and changing its stated aims and objectives. For example, by the end of 2009, Aadhaar stopped talking about policing and security and reinvented itself as a project that would help make India’s welfare schemes more efficient by ensuring help reached the right people.
Leveraging the absolute majority that the Narendra Modi government won in the 2014 general elections, Aadhaar was rammed through the Indian parliament. In 2016, the private consortium was converted into a statutory body under the Ministry of Electronics and Information Technology and named the Unique Identification Authority of India (UIDAI).
Under the UIDAI, enrollment went from voluntary to compulsory. At last count, the Aadhaar database has the biometric prints of over 1.98 billion Indians.
From paying taxes to getting salaries, renting houses to getting a phone connection, the Aadhaar number has become ubiquitous and is demanded for almost all formal and even informal transactions completed by Indian citizens. Even private corporations like Amazon have started demanding Aadhaar numbers for online shopping.
As a result, not only is the Aadhaar database unmatched in terms of its sheer size, but given its absolute intrusion into the private lives of Indians, the database has gone well beyond being a repository of biometrics. It is now an amorphous — and leaky — agglomeration of databases that connect names, faces, and prints to their demographic (caste, education, religion, etc.) and financial data (banking details, online purchases, wallet transfer, etc.).
The easy access to a repository of people’s personal data has in turn spawned a burgeoning subeconomy of data miners and traders and opened up multiple avenues for illegal and unethical trading of identities.
What, however, has remained unchanged over the last 10 years is the stubborn refusal to open Aadhaar and its design and coding up for security audits and any form of neutral scrutiny.
Denial as Security Policy
The TSPost hack wasn’t the first time that the Aadhaar database has been publicly called out over serious flaws in its security. This was also not the first time that the overseers of the world’s largest biometric database have responded with denial as their first line of defense.
The Aadhaar project was conceived and implemented by leading names in the Indian software industry. Nilekani for example, was the CEO of Indian IT and outsourcing giant Infosys. Most of the present members of the private companies that work with Aadhaar data are active members of the National Association of Software and Services Companies (NASSCOM) — India’s premier trade body for IT and outsourcing firms. The project also has big multinational corporations like Ernst and Young, Accenture, and the Safran Group working on it.
Yet, all of Aadhaar’s security flaws exposed thus far point to appalling coding standards and a rigid ignorance of security.
In August 2017, a 31-year-old Android developer named Abhinav Srivastava exploited the Aadhaar-linked E-Hospital app. The verification system used in the app did not employ any encryption and Srivastava managed to easily spoof identities and make multiple authentication requests to the main database. That in turn allowed him to verify details on behalf of anyone without their consent or presence — effectively rendering the whole point of unique verification redundant.
Even after Srivastava was arrested by the Bangalore City Police, instead of accepting the obvious issues with the app, the UIDAI blatantly claimed the system was fully secure and no citizen had any reason to worry.
For Baptiste too, the TSPost hack wasn’t the first time he’d hacked into the Aadhaar database.
“I managed to find 5 ways to pwn the official Android app,” Baptiste said in an interview with The Diplomat. He was referring to a series of exploits he’d found in January 2018.
“The password of the local database is the same for everybody,” Baptiste said explaining the app hack. “You can reset the password easily, you can deactivate the password, you can modify the app and get all logs. You can modify the app and bypass the root detection mechanism. The conclusion of my research on the mAadhaar Android app was if I have a physical access to a device with mAadhaar installed I can get all the Aadhaar data stored in it.”
“I don’t think they like me that much,” he said jokingly when asked about whether he’d heard from the Indian government.
In one instance, when Baptiste asked the official @UIDAI handle why they were posting people’s banking accounts publicly on their website, the UIDAI bluntly responded with: “Putting such information is perfectly fine and is consistent with UIDAI policy of proactive disclosure and transparency under RTI. And no way it can be termed as leak by any stretch of imagination.”
The response was in line with UIDAI’s usual bullying of anyone critical of their work. Not only has the UIDAI refused to allow audits, it in fact goes out of its way to attack critics and clamp down on any scrutiny of its work and discredit skeptics.
In May 2017, Sharad Sharma, the CEO of iSpirit — a private entity invested in the Aadhaar project and mentored by the project’s former chairman Nilekani — took to making fake Twitter accounts and slandering skeptics as being agents of Pakistani military intelligence.
Baptiste acknowledges that he has been able to do his experiments and talk about the flaws publicly only because he isn’t Indian and is therefore safe from Indian law.
In January 2018, a journalist working with The Tribune in India did an exposé about how anyone with WhatsApp and an online wallet could buy unlimited verifications for a paltry 500 Indian rupees ($8). Instead of launching an investigation inside its own ranks, the UIDAI filed a police report against the journalist and her editor.
Ayushi Chamoli contributed to the reporting for this piece.
A programmer turned journalist, Siddharthya Roy is an alum of the Columbia Journalism School and reports on politics, conflict and technology. He occasionally tweets @siddharthyaroy
