UIDAI’s Aadhaar is the worlds biggest biometric database project. In which 111 crore people of the total 125 crore Indians are already connected with the identity scheme. We at TechieScoops.com were exploring on how to make our website more secure and while searching for different ways around the web, we found a neglected issue of Aadhaar Data Leak by UIDAI. Here we cover a set of events related to Aadhaar Data Leak and UIDAI’s response to the situation.
Aadhaar Data Leak reported via Twitter
On January 10, 2018, An anonymous hacker named Elliot Alderson exposed the first Aadhaar related security issues. He found that biometrics are being stored in the local database of the mAadhaarApp. In that string used to create a password is weak, and that is why it is easy to crack.
After this, he had a great interest in it and continue finding more vulnerabilities in it. Notifying this security issues to UIDAI, but UIDAI being blind no responses came and Elliot keep nudging tweets by tweets. And exposing security flaws in it like this one.
Elliot’s interest in it was increasing day by day, On February 25 he founded a Basic SQL Injection vulnerability in Telangana government’s benefit disbursement portal TSPost Website. Due to this, he had accessed the database contained user information, including Aadhaar numbers, of 56 lakh National Rural Employment Guarantee scheme beneficiaries and 40 lakh beneficiaries of the social security pensions.
The website has been shut down by the government after this exposure, telling to TOI “It was online due to certain dependencies. We have taken off the site from the web”.
Elliot once again tweeted poking the government “I don’t know if I have to laugh or cry. http://tspost.aponline.gov.in owners fixed the issue by putting offline the website.”
Again, after few weeks he tweeted on March 11 “ I will play a game tonight: How many Aadhaar cards I can find in 3 hours? Note: All the cards must be available publicly. “ In which he founded 20000 Aadhaar Card using manual search in the span of 3 hours only.
UIDAI Responds to Aadhaar Data Leak
After so many poking and notifying the government about the security flaws in Aadhaar system, The UIDAI called Elliot’s report and the following media reports “irresponsible” and “far from the truth”. “It is repeatedly told that Aadhaar remains safe and secure and there has not been a single breach from its biometric database during that last eight years of its existence,” the UIDAI tweeted.
Elliot’s reposed to UIDAI that instead of misinformation the Indian public, it should stop being in denial and discuss ways to fix its problems.
So, you all are wondering who is this guy and why he is doing this?
Who is Elliot Alderson?
Elliot Alderson referred to as “Baptiste R”, a 28-year-old Frenchman. In an interview with Androidpit, Alderson said that he is indeed a 28-year-old French man. Subsequent interviews in several publications, international and Indian, continued to call him Baptiste Robert or Robert Baptiste – a French cybersecurity expert, 28 years of age.
A short interview with scroll.in said that“Alderson confirmed by email (he would not do an audio/phone or a video interview) that he is indeed from France and that his “family name” is Robert. He said that his formal educational qualification is that of a network and telecommunications engineer, and professionally, he is a freelance Android developer. “I develop Android apps and customize the Android Open Source Project [AOSP] for phone makers,” Alderson said. “He made all his career in the Android sector .”
Elliot Alderson is a fiction character from a well know series Mr. Robot. Elliot had been interested in cybersecurity & privacy issue for a quite some time. “The Snowden revelations have been a big boost for me to dig more into the subject,” Alderson said. “By nature, I’m curious and I like to understand how things are working which often leads to finding security flaws.”
The problem with Aadhaar data
When this question is asked in the interview with scroll.in he said,
“What I can see is that there is a big issue on how third-party websites are handling the Aadhaar data, Today, you can find thousands of Aadhaar cards with only one Google search query.”
“The first step for UIDAI in my sense is to make a full review of their partners and to impose some security requirements on these companies.”
On 16th of March Elliot released a technique to find Aadhaar cards on the internet. Just by search in google using some specific queries like below:
- ‘inurl:gov.in intext:”Your Aadhaar No. :” filetype:pdf’
- ‘mera aadhaar meri pehchaan filetype:pdf’
- ‘”MERA AADHAAR, MERI PEHACHAN” filetype:pdf’
- ‘Aam aadmi ka Adhikar filetype:pdf’
Elliot always wanted to respect the privacy of users and data. So he was concerned about worlds one of the largest biometric databases of Aadhaar. He many times try to contact UIDAI to resolve this issue, but UIDAI didn’t respond well. So he felt a little bit offensively and rude.
Elliot also got a request to sell some Aadhaar Details on twitter but he strictly said NO!
Importance of Cyber Security in our country!
Government Web sites are still vulnerable in India. Hacker’s are always in search of those websites.
Many countries which are strong in cybersecurity are still under attack. Seems like India still not on the map of hackers, but when we are on it, data prevention and cybersecurity concerned increases.
Indian government should not ignore the concept of cyber-security.