I have to admire the courage of the people who have investigated and reported this, given that the entire leadership of UIDAI and its backers in the central government are intolerant of any criticism and have been known to file police complaints[1] against journalists, critics and whistleblowers. Even its visionary and leading cheerleader from the private sector preferred to imagine conspiracies rather than acknowledging its weaknesses [2].
This is one of the main reasons that this report doesn’t touch upon read access of the database. Rachna Khaira, one of the reporters already has a police case against her for her previois reporting on Aadhar database compromise. Getting even one user record would have landed all three journalists behind bars. It is left for the reader to conclude, and validated by various experts, that whole database is hacked. If a $5 tool can give you write access to a database, it is obvious whole database can be accessed too.
Btw, 4 months ago the UIDAI had completely denied of existence of such a patch calling it as "totally baseless, false, misleading, and irresponsible" [0].
It’s actually even better. There is no server side authentication on the application. And this keygen type of crack removes the client side authentication too. Full firehose access.
This can't be upvoted enough. The organization which outsources critical authentication to CIA-MI6 linked companies, and yet find the courage to indulge in the Orwellian-doublespeak of 'nationalism' is something that needs grave attention.
you link anything to `thewire.in`, I would call it propaganda. The other commenter on the thread asked a question about why can't the said journalist back up the claims about a $10 app.
Hate the govt all you want, but the Aadhar as you know is started by previous govt. It is if designed properly a good way to eradicate corruption for welfare schemes, so any ideas on how to do that are more appreciated than playing blame game on HN.
> you link anything to `thewire.in`, I would call it propaganda.
So you would colour everything by a certain journal with the same brush, without even looking into the reported claims? In the cited case, the content in the link (and the claim for which they were cited) is easily verified from multiple sources: [1], [2], and [3]. Even when The Daily Mail reports something outrageous and easily verified I verify it, and The Daily Mail is a tabloid.
> Hate the govt all you want, but the Aadhar as you know is started by previous govt.
This is neither here nor there. The "previous govt." was four years ago. In these four years, the current govt. — who used to claim to be staunchly against Aadhaar back then — have turned tail and zealously forced people into registering for Aadhaar and linking it with their phones, bank accounts, and even made it mandatory for kids to attend school. "But four years ago, someone else started it!" is a pointless argument when the current party has far more than enough time to fix it, or even just acknowledge the flaws.
> so any ideas on how to do that are more appreciated than playing blame game on HN.
Criticism is not a "blame game", unless the criticised turns it around and blames someone without accepting or refuting the criticism. Entertaining and listening to criticism IS a good way to improve one's product, not stuffing one's fingers into one's ears and claiming your product is the best ever and "unhackable" and filing police complaints against your critics to silence them.
I expected better discussion on HN (apart from sensationalist articles), the article does a poor job intentionally though.
Summary
1. Existing data is not compromised
2. Duplicate data can't be entered or overwritten
3. BUT, ghost accounts can be created easily.
Aadhar was introduced to fight ghost accounts who siphon off subsidies provided for poor. This hack/patch defeats that purpose.
I still think this is not a big problem as it looks on surface, if Enrollment software is hacked to accept iris data from photograph,
Can't the Aadhar DB (post enrollment) be scanned for all enrolled iris data with poor quality iris data and they be monitored and deleted ?
Another problem is still there, what if the operators enroll citizens from a different country as indians, essentially creating ghost accounts (from citizens of different country). i dont know how to stop such a situation.
Biometrics is never a good model for authentication, i dont know what these people were think when they designed it.
1. Surprise, there's a separate $10 application which can access all the Aadhar database entries. Exposed by one of the journalists of this story, for which she got a police case filed against her. [a]
2. Aadhar has no way to verify double entries, one whistleblower to Supreme Court said the database has 40% bogus entries, i.e. 450 Million fake IDs. Yes, no verification backup documents, no signup forms exist for 40% entries in the database, and authority has no way to audit them. [b]
Bonus: Aadhar database was at one time hosted in US with FTP password being Admin$12. This is the state of this sham project. https://imgur.com/a/2sppFrm
> 1. Surprise, there's a separate $10 application which can access all the Aadhar database entries. Exposed by one of the journalists of this story. [a]
Can the said journalist just release the application in public domain? If not, why not?
> 2. Aadhar has no way to verify double entries, one whistleblower to Supreme Court said the database has 40% bogus entries, i.e. 450 Million fake IDs. Yes, no verification backup documents, no signup forms exist for 40% entries in the database, and authority has no way to audit them. [b]
If authority has no way to audit them then how did the whistleblower arrive at this magical "40%" figure.
What's worse than the 40% figure is the way the entire letter is written. No way a professional would write a letter with all caps, typographical errors, paragraphs upon paragraphs of sensationalism with little to show for "proof". Even the table which shows the details of "AadhaarCount v/s Aadhaar Records" is not something available in public domain so it cannot be validated as authentic.
> Bonus: Aadhar database was at one time hosted in US with FTP password being Admin$12. This is the state of this sham project. https://imgur.com/a/2sppFrm
I have seen this crop up in every discussion but no where in the screenshot does it say that the data hosted in US was the "Aadhaar database". All this screenshot details is some files were hosted by the UIDAI team on a US based server to share among themselves. The files could be anything. In fact, the email itself says the files are flat files with names:
1. Bill_Desk
2. Total_EXP
How did you arrive at the fact that this is the Aadhaar database itself? I can easily assume that "Total_EXP" can mean total expenses and "Bill_Desk" to do something with bill desk. No where does it say "Aadhaar_DB" or something along those lines. This is laughable!
Also, this same screenshot exists in the so called "whistleblower's letter" to Supreme Court judges as well. There is no confirmation of any such correspondence by the Supreme Court judges about being in receipt of any such letter.
Sorry to say but the way the entire letter is written screams of fake news you typically forward through WhatsApp only to realise later that the entire story was fraudulent to begin with.
>Can the said journalist just release the application in public domain? If not, why not?
Pretty simple. Do you want everyone in the world to have access to the database? Now at least it is hidden through obscurity. This is exactly why in this report the said journalist got it verified by three external experts, one of them a professor.
>If authority has no way to audit them then how did the whistleblower arrive at this magical "40%" figure.
Authority has no way to audit the fake accounts, authority does know for which entries backup documentation exists or not. In fact, he attaches official documentation later on as an evidence.
Forget the grammar, typos it doesn't matter. Ignore the whole of his letter except the official correspondence that is attached and does in fact validate his/her point.
I meant to write Aadhar data. So you are totally over loooking the fact that some of the Aadhar related data was on US servers, and more importantly the password is being relayed over E-mail? Also, no secure way to host the government data, except HP servers?
Government has been so opaque regarding this project that we have to rely on journalists, researchers and whistleblowers to help us with any sliver of info.
Do you have a conflict on interest with this project? I see on your Twitter that you have retweeted some posts from Ministry overlooking this project. Not casting doubt, just needing a clarification due to the tone of your posts in this thread. Sounds very government'ish.
Your post on this topic, two notches down questioning a Rice University professor: "I know a lot of professors who have plagiarised to obtain PhDs. So I would never accept a professor's word to technical details."
I will safely ignore your frivolous replies. You are anything but rational.
I'm not talking specifically about this professor. I'm stating that in my experience of seeing various professors plagiarizing their qualifications I inherently don't trust their word. I instead trust technical details. That is rational.
Irrational is when you trust someone's word as the holy grail.
I have seen my fair share of such instances that warrants my apprehensions. Any rational person would ask for technical details not just me.
> I will safely ignore your frivolous replies
You can "safely" ignore my "frivolous" replies considering that you rely on conspiracy theories rather than actual facts. Like I said in the post below, I do not claim the system to be perfect but I would rather see someone come out with a technical rebuttal than sensationalise. If that part of what I said is lost on you then I can do nothing about it. There is no stronger an attack on the government than going technical which is what is lacking in all these articles. By sensationalising and spreading fake letters all you are doing is strengthen the government's position.
Has there been any allegation against Rice University professor? So you are willing to undermine every professor out there due to one encounter of yours, but you are willing to trust the government all too quickly. On top, you dole out 'fake news' moniker generously too. Pretty rational.
Also, the plagiarism example: Guy had already obtained his Ph.D from a UK university, and the said Ph.D. was not obtained on basis of that plagiarised paper. Pretty big allegations you have been levelling on basis of something that you are not even comprehending correctly.
> Has there been any allegation against Rice University professor? So you are willing to undermine every professor out there due to one encounter of yours, but you are willing to trust the government all too quickly
All I am stating is that I trust technical details not the person. It can be the CTO, CEO, Professor or any Tom, Dick or Harry including the Government of India. I don't care about anyone's "words" but the fine print. As far as Professors are concerned, it is my experience and hence also adds to my reasoning. You can't stop me from deducing based on my reasoning can you?
As far as Government goes, I don't say I "trust" the Government. I support the policy decisions of the Government because it aligns with my wishes too. If it wavers or does something contrary to my wishes I'll stop supporting it. It's as simple as that. There is no need to conflate this any further than what it actually is. If tomorrow, the Government is indeed found to be complicit in handling of Aadhaar biometrics you can safely assume that i'll actively stop supporting it.
> On top, you dole out 'fake news' moniker generously too
Okay let's forget the contents of the letter. Can you at least show me one piece of article or something that confirms that the Supreme Court judges are in receipt of this letter? It's not just written to the CJI but also to 10 other Judges of the Supreme Court including one who recently came out stating he is not in favour of the Government: Justice J Chelameswar. At least one of them can confirm receipt of this letter. Right?
As far as official documents are concerned, they always have a seal accompanying them with an official signature. Which document in that letter has this basic requirement? The only document that looks official is a screenshot of email communication between the UIDAI team. That email communication also has nothing incriminating.
> Also, the plagiarism example: Guy had already obtained his Ph.D from a UK university, and the said Ph.D. was not obtained on basis of that plagiarised paper. Pretty big allegations you have been levelling on basis of something that you are not even comprehending correctly.
No his Ph.D thesis was also found to be plagiarised. In fact, that was what resulted in his transfer (and I came to know just now that he was also removed from holding any Governmental positions. That is why he is now appointed as a Vice Chancellor of a private university). I just took a look at the article again and the links that lead to the newspaper article which mentioned that are unfortunately dead. If I find a copy of that i'll surely put up the link to it. It still doesn't take away from my fact that a professor, a Director of a premier institute no less, plagiarised papers. This coupled with many other instances I have experienced force me to not trust their words. A lot of prominent professors in Academia always publish their papers. No one says "take me for my word". If the "words" of professors were all that was necessary you wouldn't need publishing and peer reviews.
Re-read my post again. I have clearly mentioned I don't have a conflict of interest. It's ridiculous that I even need to mention this explicitly once. And now have to reassert myself twice. I never knew having a contrary opinion automatically makes you an agent of the government. So much for "inclusiveness".
For your convenience I'll quote what I wrote in my previous comment: "It always sounds government'ish to people who rely on conspiracy theories. I am an open supporter of the Government in many policies. As far as conflict of interest with this project I am no way connected to the UIDAI project. So don't try to find connections where there are none."
Is this clear enough or you want some other proof?
> I expected better discussion on HN (apart from sensationalist articles)
There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".
> "Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer," Wallach said.
> There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".
OP is not negating the problem. However, the title implies that the existing database has been breached, which is not true. Author could have given a better title which implies that ghost entries could be added and existing data has not been compromised.
The whole point of the system is to give a single confirmed Identity for citizens of India.
at this point the purpose of the exercise has been voided.
Saying that "the data has not been compromised" is a red herring, thats the case for when our biomterics are lost and our privacy breached which is a whole different issue with this database, one among many of its other problems.
At this point if the data is crud, whats the point of using this system?
Actually, having an Aadhar number does not imply that the person is a citizen - this is one of the statements present in the application form itself. So, it is possible for non-citizens to have an Aadhar number.
So Aadhar is meant for the whole world including our neighbouring citizens (and Intelligence agencies) of Pakistan and China ? Thank you for educating me, I didn't know that. Its truly wonderful and neighbourly that they get the convenience of self-registration without providing proof and customizing their bio-metrics during upload. Only Indian citizens should be held to a higher standard.
I am not questioning authenticity of report, that is UIDAI to do.
i am questioning choice of title. offlate, i am seeing too many articles about aadhar breach, and when i study in detail, its mostly related to social engineering/phishing attacks stealing OTP/enrolling unsuspecting customers etc.,
I am worried that when an actual breach happens, the people will probably dont care. (cry the wolf?)
> There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".
Put out the patch in public domain or at least provide some technical information on the vulnerability itself (by making the said report public).
Every time a story of this sort comes out it inevitably ends in a lot of hand waving and sensationalism: how a reporter got access to a secret WhatsApp group that sells a patch in exchange for 2500 rupees and it allows access to the UIDAI system.
What makes it worse is that we are supposed to just accept whatever this CTO and his two other researcher friends have to say without any way to validate it ourselves. I don't see this happening with any other vulnerability disclosure: be it Spectre, Meltdown or plethora of other exploits which have detailed explanation of the exploit itself. Considering that it affects a billion plus people and as claimed by the article that Aadhaar is "compromised" and "cannot be fixed without requiring a fundamental change in the system" there is no reason now to hold back on technical details.
"This is pretty feasible, and looks like something that would be possible to engineer"
On the one hand you say the patch which can be bought for 2500 rupees already does this and at the same time you use words like "possible to engineer" and "feel pretty comfortable". Since when have feelings and possibilities gotten more prominence than technical explanations?
I'm not saying that the system is foolproof. On the other hand I am waiting for that one article that goes into technical details of the exploit than just sensationalism.
There's a professor in there too who verified it. Putting the patch out is going to see reporters being jailed and the story being buried. Especially when with the patch we will see 4chan like flaming and the database being filled up with bogus entries from all around the world.
> Can't the Aadhar DB (post enrollment) be scanned for all enrolled iris data with poor quality iris data and they be monitored and deleted ?
Not so easy. Every effort that's made to reduce fraud (false positives), might affect genuine beneficiaries who depend on the system for food, healthcare and education - by increasing exclusion (false negatives). A probabilistic auth platform with a really wide scope is a recipe for failure.
well, i am neither an expert in analyzing bio metric data, but i know that current government is hell bent on ploughing through our lives. i dont know what will be a better future.
When a system is shown to have fundamental security flaws — this one uses client-side validation to authenticate biometric operators — it is natural one's trust in the system's robustness would drop low.
Like when Intel's chips were shown to completely disregard security when speculatively executing instructions, it wasn't just a new vulnerability; it was a whole class of vulnerabilities that was now open
Please read TFA: "The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers."
The client here is the enrollment software, not "Aadhar" (whatever you meant by that). The Aadhar service should haven been authenticating enrollment operators on the server side, instead of relying on the enrollment software to verify identity (that too by via biometrics, which is NOT authentication).
While more specific titles are better for descriptive purposes, the title as it is is not wrong. The name "Aadhaar" does not unequivocally mean "The Aadhaar service backend".
>> Isnt that true for every thing around you? just because your bank is not hacked, does not mean it will not be in future.
But if my bank is widely reported to be hacked, my trust in it would degrade. And I would probably not trust it with any more of my money. A lot also rides on how the bank responds to this in public.
>> this is an attitude a system designer should have, allways be on lookout of vulnerabilities.
Agree, but that is besides the point here.
>>if media starts writing articles on would be vulnerabilities, then it is just fear mongering.
This is something which has occurred, it's not "would be".
As an Indian developer, I cringe every time the government claims a system is un-hackable. Especially when contracts are handed to one of the big Indian IT companies. Having started my career in one of those companies, I saw firsthand how most of the development process was just filling in gaps. Security through obscurity was thought to be “highly secure” and security experts were non existent.
No surprises that the database was compromised. Aadhar is a fundamentally flawed system and nothing will ever be done about it.
No amount of 'security' will help here. That's because every one including the people don't give a dime about 'security' in India.
In Aadhar enrollment centers, passwords are shared. You might like to introduce an OTP like concept, but phones are shared too. 2FA? nice try, but then people also share answers to security questions. Next what? DNA authentication? Biometrics? guess what none of those are any where near reliable and they are mostly identity related things and not authentication related things.
There is also government policy. Which is lapse. Mostly run by civil servants who understand nothing about technology. IAS is largely a trivia testing exam with focus on things like meeting and group discussion skills. The head of UIDAI recently claimed that data could not have been possible stolen as the data was still in their database :)
This is a phenomenal lapse at every level.
Software is one thing, but if your people have decided to work around it, its basically all over.
We also need to consider the motivations for working around 2FA or any such authentication systems. One is convenience as you've pointed out.
The other, much bigger motivation IMO, is opportunity to make money. As the article points out once enrolment was outsourced (Rs30/enrolment) it was immediately seen a money making venture so a whole bunch of these centres with dubious credentials surfaced. They were entrusted with document verification too so they would happily accept just about any piece of paper as proof of address. Then there was a business of charging desperate people money to create Adhaar account without which they wouldn't get subsidies.
And then they shut down (50,000 or so) these enrolment centres. Did they expect that all those employed at those centres who lost their jobs to not do anything about it!? Of course they would figure out ways to enrol people!!
Apparently, the bill passed in the Indian Parliament does not limit the right of the state apparatus to 'bio-authenticate' you. A scientist at CSIR apparently blurted out earlier that DNA authentication was under consideration. The amount of money spent on this BS project is absurd.
Time and Time again Aadhar's privacy data have been compromised and Yet, Officials have strongly denied all those claims - only possible because still people believe all the false claims by those officials and government in terms of Aadhar. Even to the level that a guy once wrote a scraper (opensourced on github) that can fetch Aadhar info online.
It's no doubt that Aadhar was a blatant copy of bringing an SSN-type ID in India but failed terribly as the Government was more interested using Aadhar to show their domination rather than put it for actual purpose. Eg: Govt made Aadhar mandatory for Tax filing, India's Top Supreme Court denied. The same thing happened in many instances.
This is a nice lesson, why simply coping a solution from the US can't be made to work in a developing nation because the system and officials are so fragile that they need to be first fixed than the solution itself!
Aadhar is nothing like SSN. I wish it was. SSN doesn’t require biometrics — Aadhar takes fingerprints and iris scans. School kids don’t need SSNs to sit for their school boards. You can sit for university exams without SSNs. You can shop at Amazon without giving them your SSN[1].
In fact SSN use has become more restricted over time, thanks to various pieces of privacy legislation. Meanwhile in India they still don’t have any privacy legislation last I checked, so it’s open season on your data.
Aadhar is ambitious all right — an attempt to assign every every Indian resident a number and use that number as a unique key for almost everything (public or private). The surveillance opportunities this presents is breathtaking.
Of course the good folk at India Stack love this because it enables them to build better apps. Move fast and break things, indeed.
> Time and Time again Aadhar's privacy data have been compromised.
I hate the implementation of Aadhar as much as any person, and believe the architecture is terrible that a patch can allow authentication to be bypassed. And that there could be more vulnerabilities. However, at least in this instance, existing data has not been compromised.
Yes it looks like their security was really amateur hour stuff too, with a lot of the authentication done on the client side. This makes their claims that it was "hack-proof" look particularly embarrassing.
Apparently the breach is now being proxied by the fired private operators through government offices. Can this cashless money flow be traced? Even burner mobile phone numbers are linked to the same compromised national identity database.
Who could benefit indirectly from the breach? Could the Indian government turn to Facebook and WhatsApp for help with identity profiling? Is Facebook Indian data held in Indian data centers?
This story will find its way into future documentaries on the history of "Papers Please".
> in February 2018, the UIDAI terminated all contracts with common service centres as well .. Henceforth, only banks and government institutions like the postal service can enrol Aadhaar users. As a consequence, tens of thousands of young men, with rudimentary education but great familiarity with the Aadhaar system, were put out of work.
> In interviews, out-of-work operators claim they can still use the hacked enrolment software to generate enrolment ids (the first step in the Aadhaar registration process) and have tied up with sources working in authorised centres who complete the registration process for a fee.
> ... creates a whole new set of problems and could defeat many of Aadhaar's purported aims, such as reducing corruption, tracking black money, eliminating fraud and identity theft. It also means that the Aadhaar database is vulnerable to the same problems of ghost entries as any other government database
> the Indian government has sought to make Aadhaar numbers the gold standard for citizen identification, and mandatory for everything from using a mobile phone to accessing a bank account.
> Sourcing the patch is as easy as gaining access to one of thousands of WhatsApp groups where the patch, and the usernames and passwords required to login to the UIDAI's enrolment gateway, are sold for as little as Rs 2,500. Payments are made through mobile wallets linked to phone numbers that quickly go dead after the transactions are complete.
Everybody scream about the hack but I've never found a comprehensive study over how these personal data are sold, abused. Maybe to break gazillions of FaceBook/github/you-name-it accounts ? Then what, who will use those data ? Thieves ? Criminals ? If it's just that well, that's a minor inconvenience.
If it's secret services of adversary powers, well, that's a whole lot different.
> Then what, who will use those data ? Thieves ? Criminals ? If it's just that well, that's a minor inconvenience.
It's only a minor inconvenience if you can sit in a comfortable place and pontificate on Hacker News about these things. Seems like you're not even aware that people have already lost their pension money or bank account balances or didn't get food that they were entitled to and died in the process — everything related to the coercion in the Aadhaar system and how it can be misused by others for fraudulent purposes.
Perhaps your privilege in life is standing in the way of understanding how bad things are with the Aadhaar system. Please search for #AadhaarFail on Twitter, look for articles on scroll.in and thewire.in (two sites that some people do hate) and rethinkaadhaar.in.
Now I'm reading my comment again, I see how I offensed some people here. My idea was more like "globally thinking", like in "geopolitics", in that case, even a few deaths is not much (it's like people who allocate money for cancer research : they have to make sure the population is globally better; it doesn't mean every one should get out alive). And my wording was rather poor. Sorry it was absolutely not the idea I wanted to convey. Mea culpa.
I don't have facts/pointers but just an educated guess.
The most probable beneficiaries are food/gas etc., distributors. Pre Adhaar days they used to create fake ration/gas cards and sell food at un-subsidised prices in black market.
A prime (purported) driver for Adhaar to stop creation of these ghost people. Now that ghost Adhaar accounts can be created (per the report) these distributors will get back to their old ways of making money.
India has lot of poor people so the threat vector isn't yet FB/github :-).
They just made aadhar mandatory for every school kid in Mumbai Maharashtra. Good luck to anyone who has to share share their childrens details on an insecure platform.
It's not like HTTPS would have helped much. It's an arbitrary IP address. How is a user supposed to verify an arbitrary IP address is not an attacker? This is what '.gov.in' is supposed to be for.
> In 2017, the UIDAI said it had blacklisted 49,000 enrolment centres for various violations, and in February 2018, the UIDAI terminated all contracts with common service centres as well.
Seems like they are well aware of this hack.
Skimming through the article, it seems the attacker can register himself in the system but not read data from the system. Also, there's no mention of 1.2B records being compromised.
Actually, the records are already public, remember the fiasco where Telecom Regulatory Authority of India’s Chairman RS Sharma had posted his Aadhar number online.
The whole point of the Aadhar Challenge was to demonstrate leaked database/Aadhar number is not an issue. Apart from the curated datasets that can be bought even on Facebook groups, it is actually very easy to mine large datasets from Google itself.
I don't want to post any direct link to anything but you are google 'Aadhaar data leak through Google search' to vast amounts of links/references. Kinda Meta right, I know. If you want to know more about the incident you can google 'aadhaar challenge'.
One of the reasons why India needs some kind of people authentication is rampant corruption! Corruption at a scale that most of people in Europe or US cant even imagine. Add to it the culture which celebrates corruption and eulogizes people who find loopholes in system. As soon as a policy or rule is implement, someone gets to work to find a loophole and profit. Schemes and subsidies for poor get siphoned by rich and powerful by creating fake people, less than 2% of citizen's pay taxes by just disappearing in records, billions of dollars of unnamed properties exist because owners are fake people on record, someone else appears for exam on a student.
While I still dislike citizen's database, I can also see why some kind of person authenticator is needed for country like India. I sat through UIDAI architects presentations, and from what I could tell that substantial thought was given to design. So while I maintain skepticism for such database, I also believe India needs some way authenticate various transactions (monetary or otherwise). SSN is a joke, at least Aadhaar was given substantial thought.
someone gets to work to find a loophole and profit
Please - this is pretty much how it works everywhere, nothing unique to India.
Why do you think lawyers, accountants etc in the corporate world get paid so much? Do you remember the U.S president saying avoiding federal taxes makes him smart?
the culture which celebrates corruption
What are you basing this on? There is no question there is rampant corruption, but saying the culture celebrates it is taking it a bit far
While this is true, the primary engine of corruption is the government and its agencies. Officials soliciting bribes to move paperwork forward, kickbacks to land projects etc.
If your solution for corruption at higher levels is to make a billion (or hundreds of million, since we now know that there are ghost entries in the Aadhaar database too) people suffer, not have access to food, die of starvation, not get their pensions, etc., then it's a useless solution that has no place anywhere in the world, more so in a democracy!
You seem to have sat through a presentation on Aadhaar. Have you sat through any presentations on corruption? On what basis are you making comparisons with other parts of the world?
I don't know how many times this will have to be repeated. Aadhar, GST, all implemented by the worst possible companies in terms of talent. WTF is wrong here, there are plenty of talented people around. Or just crowdsource it or give it to the universities to build or something.
I want to say that maybe the really talented people / good companies have no interest in building a central database with such dystopian potential. But then again... fb, twitter, ...
Is this complete incompetence? Why wouldn't they generate these numbers on some centralized secured servers only for the verified individuals? Why give away the software that generates them at all? That's like giving away your signing servers.
The numbers are not generated on the client side. An enrollment packet is, containing biometrics and demographics, for which a number will be generated using biometric deduplication server-side.
The catch: only residents (not citizens) of India are authorised to have a number. Because one person technically cannot have more than one Aadhaar number (reality: ha!), the theory is that a government subsidy database needs one unique Aadhaar number per beneficiary.
This theory breaks down when you enroll an individual who does not need an Aadhaar number because they are not a resident. That number can be misused by another resident to get a second entry into the database, and it's a perfectly legitimate number linked to an Indian phone number that can receive an OTP and behave indistinguishably from a resident.
Fake enrolments are the equivalent of a hack of the US SSN system that would allow anyone anywhere in the world to make an SSN for themselves. What could they possibly do with that?
> B. Regunath, a software architect who led the team at Mindtree that worked on the project, said a web-based enrolment software for Aadhaar was not practical at the time because many parts of the country had very poor Internet connectivity.
Of course, anyone who put id generating software on these laptops with the expectation that it would somehow remain secret was being extremely foolish. The system should have been designed taking that into account.
Even then, they could have batched the requests for IDs on the laptop, and then submitted them daily/weekly by driving the laptop to wherever the internet is.
And of course, each such laptop must have a unique hardware key that would sign these requests, so copying the software wouldn't compromise anything.
In a country of the scale of India, if your security relies on no laptop being compromised, you have no security. One is bound to be lost or stolen (or its user to accept bribes).
You didn't read my comment well. The security in my scenario doesn't rely on the laptop not being stolen. There's a hardware key. If it gets stolen, it gets blacklisted.
It will not work in India. The whole problem is that the govt pissed off the operators and incentivized them to create fake aadhar. He whole investment to setup aadhar enrollment centre was marketed as a good business which will make people decent sum of money. But that was a very optimistic approximate. Reality turned out to be far more different. Almost all operators went into a loss. To recuperate the losses, they started creating fake aadhar. Money earned for genuine aadhar is Rs. 20, vs Rs. 500+ for a fake aadhar. It was stupid for operators to not exploit the opportunity.
In this scenario a hardware key is not going to help. It'll only limit the ubiquity of the hack, but not much else.
You are assuming this is unintentional. Giving bureaucrats and criminals working with them power through incompetence of the central government ... forgive me for doubting that this was a design feature. It redivides the power between individuals and the state, including criminals working with (small parts of) the state. I believe anyone who can get a majority of 1.3 billion people to vote for him did not miss this.
I mean what's with the "Caesar can do no wrong" attitude on this site ?
States are evil. The best possible case is that they might be, at times, the lesser evil.
I am European. Just because it's a less popular opinion, it's not any less true.
I don't even understand the logic itself. States are supposedly not evil, and we need them because ... well because people are more evil. That's the idea.
But states are people. Isn't that by itself a massive contradiction ?
The difference between, say, the Netherlands and Monsanto is the method of incorporation, and the legal authority it therefore has. Not the resulting decisions. That's, of course why the Netherlands got rich by having it's military protect and pay raping pirates, in trade for their loot, including of course, if they had to sell the passengers to prostitution houses and mines, and still does things like extracting money from it's poorest citizens through mental health "care".
You picked one of the countries with the most evil government (historically, I make no claim either way about the current situation) as an example. Of course it's going to look bad in that case.
Okay. Name one that's decent. A single one. And let's look up what they've done ... I mean perhaps the really tiny ones are better, but that's really more for lack of options, not lack of will to commit atrocities.
Recently there was -yet another- mental health (for children no less) scandal in the Netherlands. Yes, the government that supposedly fairly hosts the international court can't even respect basic human rights in it's own country. Which brings the question if either of these things is really their goal (where for instance mental health "care" is often accused to be about locking people out of sight, at any cost (to those mental patients), and the international court is about international politics, not justice (for instance the Jugoslavia tribunal only ever convicted people from one side of the conflict)).
India has a biometric database with 1B people on it!
... wow ... just wow ...
And adding new people to it is now compromised by a publically available hack, although getting 1B biometrics on board must have had an error rate that would be scary anyway.
The UUID created is needed almost everywhere, like driving license numbers elsewhere.
How much of the scare is "People can be added once but under incorrect names" perhaps wiping out criminal pasts? or "people can be added more than once"
Good luck to the government changing everyone's biometrics now. This is why biometrics should never be used for something like this, especially when it requires a centralized entity to store all the biometric data, making it a very appealing target to all the malicious hackers in the world.
At least Apple, etc, keep the a hash of the biometric data in a secure enclave on each device. Storing biometric data in a centralized database is beyond reckless, no matter who does it.
The ability to add people is problematic - once you have unverified additions, you can't trust whether even real biometrics were used for it, so it wouldn't even necessarily show up as a duplicate.
Search: Biometrics matching has a lot of failures (5% of 1billion is still a huge number).
In the Anglosphere we've traditionally been quite wary of national ID databases for our own citizens, for better or worse.
Most governments of foreign countries I have visited (US, many parts of Asia) have my fingerprints. The Australian government doesn't (to my knowledge, anyway).
Any Australian with a driver's license or passport most definitely has their facial biometrics stored. Any visitor to the country also is subject to it.
This has been in existence for over a decade and I'm astonished people aren't aware of that.
Right, I do know that (The Capability(tm)!) and for some reason I just mentally exclude facial recognition from the term "biometrics". OP specifically said "at least fingerprints" - it's good to have a reminder that facial biometrics still count as biometrics too, and they're lower on the hierarchy than fingerprints.
From my experience going from clean shaven to a small beard can throw the whole system off and requires manual intervention rather than going through the automatic gates. Fingerprints surely would be more accurate.
Have no idea whether foreigners have to give fingerprint scans at Australian customs, it's common practice throughout Asia.
I live in Spain and they take your fingerprint when they make your ID card. I'm pretty sure that goes into a database, so they have the fingerprints of all citizens.
without any hack, one person can be enrolled multiple times if it is done from different zones (mandal/district).
There are brokers who can arrange this (and ofcourse charge upto 5k INR)
I guess the search is only limited to these zones.
I am the guy (Regunath) quoted in this article. I had already vented out at how one of the journalists approached me with an intent to get a "balanced" view of the system and ended up writing what he wanted from a pre-determined agenda. See this : https://twitter.com/RegunathB/status/1039411036497956864
What is not covered in this article is that all data from client (even if compromised) is validated by a completely different system on the server-side (any decent system does this and so does Aadhaar) and the client too has undergone maybe 20 revisions to add features/fix issues - again typical of any software. The latest version of the client software, I am told, entirely boots off a secure external storage. Now, older versions might still be i use on the field. The Enrolment client software has provision to force upgrade the software and go to the extent of locking up and not allow any new enrolments. The server counterpart can also check and reject enrolments from previous versions of client software. All of this was shared to the same reporter and you can see how much (or how less) of it was actually covered in this fact finding exercise. Press has the ability to tell the truth or sensationalize, these guys chose the latter.
I went to a regional passport office to get my Aadhar card about 2 years ago. I sat in front of a desk with an employee - she was logged in to a website to that let her upload my picture/biometrics and info into the Aadhar system. The desk had a post-it 3 feet away from me with the login username/password written on it.
Since the operators also need to verify biometrically to login, that alone wouldn't be enough to hack it. But if you think about the general level of understanding of IT among the public, and probably even the people who wrote the software, its pretty unsurprising to see it hacked.
Even so, I don't think its really possible for a huge entity like the government (or even a large company) to learn all the practices around security/technology without making mistakes and learning under situations with real consequences. As long as they learn from these mistakes and accept failure, rather than trying to cover them up, we will get there in time.
Yeah, that means a lot of false data has been added into the system given how widely this patched client has been circulated. I don't know what about this tells you that the database hasn't been compromised?
The first thing that came to my mind when I read the title was that all the biometrics and all were out. Which would have been much worse and which is not the case.
This is equally bad, maybe even more so given there is a good chance that a substantial number of aadhaar accounts are fake. There is, quite simply, no reasonable defense for this state of affairs.
The database has also been compromised in the read direction. In fact, one of the authors of this article, Rachna Khaira, got in hot water with the police earlier this year for reporting on that breach.
That's probably why this article doesn't mention it.
A compromise in this case being that illegitimate entries are being added when they should not be able to. You don’t need write to consider this specific case broken.
The biometric scanners probably have big security holes too. In fact, it won't surprise me if the JTAG is left enabled and anyone can read/write the firmware!
Aadhaar needs something like TrustRank or a Web Of Trust where identity and citizenship isn't binary but a continuous number (probability) based on who and how many vouch for your identity. A lot of citizens, especially in rural areas, aren't documented very well. It's best to acknowledge that uncertainty in the system and deal with it.
The public discussion around Aadhaar is very confused. There's hardly anything wrong with a universal ID for every citizen. There are already several in India (Driving License, Passport, Voter's ID, PAN card, etc.). The real privacy issue is around (a) the govt. collecting biometric data, and (b) how much the govt. / third-party service provider learns about you when you authenticate your identity using Aadhaar. The UIDAI doesn't even want to discuss the issue in the open ("trust us, your data is secure. No proof of hacking whatsoever."), and the use of non-open-source software and closed biometric hardware is troubling. If biometric scanners are using proper encryption, who holds the keys? (My guess, the manufacturers have it, and lots of people who shouldn't have it do have it). What's needed is consensus building, maybe through a public consultation, about what the majority of people are willing to disclose to the govt. Biometric isn't an absolute necessity for Aadhaar to achieve it's stated goals. That said, recent polls show that the percentage of Indians who trust their govt. is way higher than in the west, so the govt. can probably get what it wants while playing nice.
There's also very little discussion about how secure the biometrics are. There's no info about what services are considered sensitive and need more than a fingerprint. Fingerprints maybe fine for 5 years, but I have a hard time believing they'll be constant enough for secure identity verification over 80 years. What happens when biometric fails and a significant chunk of the populace can't sign, don't remember their date-of-birth or any password, or even their full name? Again, something like a web of trust would've been helpful.
I like how tough topics in India are discussed - everything is tied back to the central government. Either you a nationalist supporting the central government or you are a self proclaimed anti-nationalist who dislikes the current government and their agenda.
One of the things people need to realize is this is a bigger bureaucratic problem. It has nothing to do with current or previous government. Previous government pushed this through because it was in their agenda and the current government cried foul. Now the tables have turned.
What this tells me is that there are lot of private interests which are playing a huge role in Indian governance, irrespective of the government. And we as a people getting into petty fights about the nationalist/anti-nationalist debate are losing sight of the target.
[Note: I'm anti-Aadhaar, as documented in my profile. My comments below may sound harsh because of that. Also please note that Aadhaar is a resident number, and has nothing to do with citizenship.]
Fantastic work! One of the authors of this investigative piece, Rachna Khaira, was key in exposing a major issue with the "last mile" software and how cheaply (just Rs.500/about USD 7) and easily someone could get the Aadhaar and demographic details of almost any resident in the country who's enrolled in the system. [1] UIDAI's response for her investigation was to file an FIR (First Information Report/police complaint) against her in an attempt to put her behind bars. [2]
Activists have always argued that the lack of transparency and information could mean that there are many "ghosts" (or bogus enrollments) in the Aadhaar system (which claims that it cannot have "ghosts", ignoring technological as well as biometric limitations). Now there's no saying how many of the 1.1 billion entries in the Aadhaar system are bogus. As the article states, private agencies were used to handle the enrollment and capture of biometrics and recording of demographic information. All these agencies were paid on a per-enrollment basis. Guess what incentives they would have in a country with high levels of corruption at many levels? I'm certain that a bulk of the enrollments that have been issued Aadhaar numbers are bogus.
While activists may feel vindicated that more and more holes are being exposed in the Aadhaar system (while UIDAI continues to always remain in denial mode), it's sad that hundreds of millions of people have been left vulnerable by this poorly designed and poorly implemented system.
> B. Regunath, a software architect who led the team at Mindtree that worked on the project, said a web-based enrolment software for Aadhaar was not practical at the time because many parts of the country had very poor Internet connectivity.
> "People were cranking up generators just to light up power and do the enrolment. How can they do an online upload of those packets?" asked Regunath, who has since moved to a senior technical position at Flipkart.
What utter nonsense!!! I can't imagine someone calling themselves a software architect being so gullible and ignorant. The entire Aadhaar system is dependent on Internet access and connectivity. Post issuance, the authentication of anyone through biometrics needs real time Internet connectivity. There's no way around that (even where an OTP is generated, the initiation of the OTP sent over SMS by UIDAI has to happen by connecting to UIDAI's web based APIs). Even as recent as last year, people in some places were forced to climb trees because they couldn't get a good cellular signal and Internet connectivity. They were forced to do this because the central government pushed this system as a prerequisites for getting subsidized food (through what's called PDS or Public Distribution System). [3] UIDAI also had Windows XP as a recommended OS for these enrollment agencies. [4]
> In 2017, the UIDAI said it had blacklisted 49,000 enrolment centres for various violations.
The sheer hypocrisy and audacity of UIDAI here is that it has blacklisted all these agencies for violations without any legal action. From the time Aadhaar started in 2009/2010, this number averaged to about two agencies blacklisted every hour! But point out some security issue or a gap? You'll be facing a court case!
_____
This whole system has been patchworks of patchworks of patchworks, continuously in denial mode when experts ask questions on security, audit, privacy, etc. I would prefer that it be completely thrown out, like how UK did with its national ID program several years ago. India doesn't need such enemies from within that/who make it easier for hostile entities/groups to disrupt or decimate the country! UIDAI needs to be shutdown as well, since nobody in-charge of the organization has shown technical or critical thinking ability, or has had the humility to face questions without getting into continuous denial.
The verdict in the petitions against Aadhaar is pending from the Supreme Court. I hope the verdict comes to save all the residents of India, and to save the country itself.
¯\_(ツ)_/¯ I wish I could express some kind of outrage, really, I do. This should be awful and undermines what I believe a sincere attempt to make India a better place. But really, what could they or anyone possibly expect?
Off topic: I simply can't find how to opt out of tracking on HuffPost. I get a GDPR popup and the opting out path leads endless cycles (with occasional captcha solving).
I just keep using browser extensions like uBlock and Ghostery (caveat: it seems they also have a "we sell your data" opt-out) and every GDPR pop-up I just click "OK", knowing the extensions will block them. (Honestly, more believing than knowing, so maybe I'm not the best person to talk to about protecting data...)
its kind of weird that they call the vulnerability itself "a patch"
I can be pedantic too and can see how there isn't really a distinction between an exploit and a patch as they both modify the software, but thats a weird colloquialism right?
The current government possesses a type of thinking that considers reporting an embarrassing problem a bigger crime than those responsible for that problem.
He definitely has a very arrogant tone about aadhaar as well as his another body shop company.
This massive massive data leak could cost Indian citizens very dearly. Everything is being forced to link with aadhaar.
If some digital lord in future decides to colonize people in few secs, I believe Indian shores and as well as people sitting in capital might provide a very lucrative proposition!
I just hope it isn't Jio! Jio phone itself has very intrusive OS!
It is hard to believe by relying on just one source. I just checked other news sources in India, and no one has any news about any recent Aadhaar breach.
Kindly understand this article seems to come out of investigative journalism where the author seemed to have gotten hold of the patch presumably by paying 2500 and then did in-person research to create the article. Once published, other newsrooms usually do their own pieces if they find it relevant. Since this article has just been published (only 2 hours ago at the time of writing this comment), I wouldn't refute the article just on the basis of this criteria. I would usually wait for 1-2 days before using the above criterion to evaluate the article.
You've actually reworded what I have already said. Since there is no official statement from UIDAI or multiple private news sources reporting the same incidence; this article/blog is not worth believing yet.
On the contrary. This was _investigated_ by a reporter(s) from the mentioned source and published. Other news publications need to verify it independently before publishing it themselves.
And on the "official statements" part, it's kind of naive to expect that they (UIDAI) would put out any statement given that in the past they have
- Not acknowledged security issues or made any efforts to do their own investigation in spite of the numerous reports
- Turned hostile towards entities who have exposed or reported weaknesses instead of rewarding them and plugging the loopholes
Do You think Times group, India Today and others will report this? They don't have backbone to do that. Maybe You should read the article first, before commenting.
Did you read the article? It's not about a "Aadhar breach" in the sense of data being stolen. The news is about a software hack that has been doing the rounds among operators that allows them to compromise the aadhar database by introducing duplicate or weaker biometric information.
"The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.
The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person."
[1]: https://thewire.in/tech/uidai-files-fir-tribune-reporter-aad...
[2]: https://timesofindia.indiatimes.com/india/theres-an-orchestr...