INTERVIEW

Exclusive: Top security expert exposes dangerous flaws of Aadhaar

Date: 
August 1, 2018

Scientist Dr. Sandeep Shukla’s confidential studies highlighted the loopholes in Aadhaar but nothing has been done to beef up data security by the government yet.


Sandeep Shukla
 
Prof. Dr. Sandeep Shukla is one of the foremost system security experts and scientists in India. Professor Shukla currently heads Computer Science and Engineering Department, Indian Institute of Technology, Kanpur. He also serves as the Editor-in-Chief of ACM Transactions on Embedded Systems, and associate editor for ACM transactions on Cyber Physical Systems.
 
He has raised concerns on UIDAI Aadhaar’s security from time to time. One of his confidential studies highlighted the loopholes in Aadhaar but nothing has been done to beef up data security by the government yet, he observes.
 
In an exclusive interview, he spoke to Ujjawal Krishnam.
 
What is your general view of digital identifiers like passport and Aadhaar which contain sensitive information like biometric and demographic data?
 
I think that citizen’s privacy is not being taken seriously in India. A recent news article I read about the report by Justice Srikrishna committee on data privacy scared me. The report said that NASSCOM and other interested parties diluted the provisions for privacy, and any measure was not to be retroactive to data already available in the public domain. This is exactly the opposite of what Europe has done. Even in the US, when I went there as a student, social security number was used as a roll number for students in the university. By 1995, that was made illegal, and universities had to assign a local 9 digit number to students. But this number was related to the social security numbers of the students. When I was a faculty back in 2008 or so, new laws came into effect about privacy, and Universities had to create special computer programs that they supplied to faculty and staff to find any email or files on their personal computers where a student name and his/her roll number were in the same email or file. This program was meant to expunge all such files, emails etc. We were not allowed to display grades against roll numbers, and in no circumstances write an email where a student name and roll number were together. This is retroactive privacy. This was done to avoid in any way to divulge a student’s social security number give his/her name. Note that social security numbers are just numbers against names, and social security administration never ever collected biometric data. In fact, in the US, a person’s biometry cannot be requested without his/her informed consent on how that data will be used. Any use beyond that will require a judge’s permission.
 
So, while digital identifier is a requirement for many functionalities of governance, especially in the domain of taxation, immigration or international travel; adequate provisions of privacy in the law its and proper enforcement are extremely important. That is what is missing in India and from the recent reports on digital privacy commission, it is not very hopeful. Lobbying by large industrialists with vested interested will dilute it.
 
So It is very scary to think of how the digital identity is in the hands of one particular body without any oversight, no ombudsman to address citizen’s concerns, and no legal framework and sufficient safeguards against misuse. If today, UIDAI wants to turn off the Aadhaar authentication for someone they do not like, they can do that, and short of supreme court intervention, nothing can be done about it.
 
So no matter what one thinks about the need for digital identity with biometry for efficient e-governance, due to lack of the right mindset, awareness of privacy issues, awareness of threats and regulatory and oversight framework, they are very disturbing, to say the least, and outright violation of citizen’s right to liberty.
 
You being a computer scientist can tell us better about the constraints related to technical safety measures generally faced while maintaining web-accessible data. Are they vulnerable?
 
Any data that is accessible via the web, can be hacked. For example, the softwares used to build a website are written by human programmers, and they often carry many vulnerabilities. Only a few months ago, one of the most popular website building software Drupal was found to have such a vulnerability that by using it, a hacker can easily install malware into your web server and get root access, compromise your encryption key and exfiltrate all data. In fact, our website was running on Drupal 7.57 and our system administrator did not update it to 7.59 in spite of being warned and we got completely hacked. In 2016, Linux operating system Kernel was found to have a bug called ‘dirty cow’ which allowed anyone to become a root administrator of a web server running on Linux that was not updated, and again we ourselves hacked our system administrator’s website. So, anyone who exports an interface to the world through web technologies can fall prey to hacking and data exfiltration or worse. The system administrator has to be always on his/her toes, keep watching out for advisories from security agencies and update their software immediately – otherwise, they will be attacked very easily.
 
However, much of the Aadhaar data leaks happened not even because of these, but because the database behind the web server was seeded with Aadhaar data because of poor choice in using Aadhaar as the identity of people in these databases.
 
This happened to Andhra government database for MNREGA recipients and it showed the caste and longitude-latitude of their homes, and it was available through that website. Given the large-scale atrocities against Dalits and other minorities, this made it very dangerous kind of data to be made available so easily.
 
In December 2011 the Parliamentary Standing Committee on Finance, led by Yashwant Sinha, rejected the National Identification Authority of India Bill, 2010, and suggested modifications. The Committee noted that the project was being implemented in an unplanned manner and bypassing the Parliament. As per reports, Intelligence Bureau too slammed Aadhaar as residence proof. Taking a U-turn, BJP led government too adopted Aadhaar. What technical difference do you find between Aadhaar of UPA regime and Aadhaar of incumbent NDA regime?
 
My understanding is that Aadhaar under UPA regime was meant only for identifying the recipients of government subsidies such as MNREGA, food safety provisions etc. However, even then the privacy concerns were the same. In the current regime, they have forced us to link our bank accounts, our mobile numbers, and whatnot. This has now become draconian compared to the original motivation of Aadhaar. However, even the original motivation would have had the same problems if done the way it was designed. Today UIDAI claims that their servers are very secure behind physically strong walls, 24x7 sentries, and also strong encryption etc. But the point is that 30 per cent of all important cyber-attacks in the world are known (through various industry surveys) to be due to insider attacks. That may mean some disgruntled employee or a vindictive system administrator can run havoc on a secure system. Also, if a citizen is disliked by the authorities, they can willfully destroy that person’s Aadhaar record and thereby disable his bank transaction abilities, rendering his mobile connection illegal and what not. The other issue is that most of the leaks that happened are not from the main servers at UIDAI but from all kinds of databases that are seeded with Aadhaar numbers. Those databases are under the control of various other jurisdictions and hence may not have adequate technical knowledge or wherewithal to take cybersecurity measures to protect the data. Also, biometry-based authentication can be faked using fingerprints lifted from various places one touches and using a 3D printer or a mould. Recently, it happened in Mumbai – an enrolment agent gave a copy of his fingerprint mould to someone else to use for authenticating himself to enrolment software in his absence. A number of back channels created for convenience led to use of those back channels for Rs. 500 as was reported last year. There are numerous scenarios one can think of that can get a person into trouble because of Aadhaar. If the authorities took cognizance of these and had taken the measure by not allowing everyone to ask for Aadhaar number or Aadhaar card (my UPS package delivery guy refused to hand over a package without a copy of my Aadhaar card) and regulated any agency that seeds their database with Aadhaar number – things would be safer; But their reaction is always denial and often aggressively dismissive – which is a huge problem in even fixing this problem. So technically even if the UIDAI servers may be better protected, I do not see that as adequate as the leaks are everywhere but at those servers.
 
"UIDAI authorities have created core security and encryption mechanism very well, but as you go outwards into the ecosystem, your control over those entities starts loosening,” you had said as flaws in the NIC developed app surfaced. What were the concerns you were raising then? Did the authority take a note of it?
 
This was my comment during the hack by a computer scientist back in 2016 of the E-hospital app created by NIC using Aadhaar based authentication. The app was created by NIC and using the app one could book a hospital appointment anywhere in India. In order to identify the patient, it required the patient’s Aadhaar number and OTP to his/her mobile. The app authenticated itself to the user agency servers using a hard-coded password in the program (which is an extremely poor security practice and should never be used). The hacker used the app, some network monitoring while the app interacted with the NIC servers, and a code disassembly to discover the hardcoded password as well as the protocol. Then he created his own app which used the same server and got Aadhaar details of many people.
 
While speaking to Hindustan Times, I commented that NIC had shown extreme negligence and incompetence because any software company should first do a cybersecurity audit before the software is released to the public which they seemingly did not do. A couple of NIC employees threatened to go to court for calling them out. This is not the way. If one has made a mistake, which anyone can, it is best to understand the mistake, withdraw the product, fix the product and fix the software development process, and then re-release it. This kind of approach to keep things under the wraps, or to threaten the people who criticize the lack of cybersecurity audit process cannot lead to security.
 
Similarly, various cases of Aadhaar leaks have come to surface since then, and in all cases, we saw denial to the effect that “UIDAI servers did not get hacked – so your data is safe” – instead of “oh we need to take adequate measures against those companies that designed poor software, or did not protect the data and privacy.” Shooting the messenger is not the proper response to security problems.
 
So the major problem with Aadhaar does not stem from the servers – although it could – if one employee with the keys to the encryption system goes rogue – which can happen – the main problem stems from the fact that it is being connected to each and every piece of information. Even my Air India frequent flyer account now demands e-KYC. Even though the Supreme Court has put a suspension to the requirement of connecting bank accounts or mobile numbers to Aadhaar – we can no longer open a bank account – or get a mobile subscription without Aadhaar. Even cable tv subscription is asking for Aadhaar. So our privacy and data security and our financial security is getting more and more in danger every day. The fact that UIDAI servers are safe has nothing to do with it.
 
One confidential study of yours was discussed in the government and in MeitY. The report highlighted that digitalisation of the banking sector post-demonetisation led to a sharp increase in cyber-crime. Since the government is pushing towards Aadhaar-based financial transactions, securing the Aadhaar database should be accorded top priority. With the Aadhaar number being integrated to various services, leakage of UID data is a matter of serious concern. Your study also signalled that Digital wallets promoted post-demonetisation like Paytm and BHIM are unsafe. What are the concerns here? Are there any developments shown by the government on the technical aspect?
 
We did that report and we were told that the committee would take it up in the parliament. But to our knowledge that never happened. I think in September, it will be two years since we did that report.
 
Recall, that Paytm app was asking for root access to our phone until a hacker found out and tweeted about it. Now Paytm says that they withdrew that functionality. Why does a wallet need root access of a phone? That sounds pretty suspicious. But our concern was somewhere else. In 2016, 70 per cent of Indians were using Android 5.1 or below. Even now, a lot of Indians use old android phones. Also, a lot of Indians do not download the latest patches on their phone. May cheap phone companies do not even make the latest updates available to their users in time. Recently google fixed a large number of security problems in android 8.0 but a lot of cheaper phone makers did not provide those patches to users yet. Now, without the patch, any phone can be hacked with malware, or apps laced with malware. Therefore, anyone using any wallet on such vulnerable phone could be subject to losing his/her banking credentials.
 
Your study also suggested that a Cyber Security Commission needs to be urgently established modelled on the Atomic Energy Commission with similar powers and mandate since it also involves defence risks as well as finance-related concerns. Please outline the model and concerns.
 
I feel that cybersecurity is not taken seriously enough. Cybersecurity is a serious business today. Recall the Russian hacking of US election or the Ukraine power grid being hacked and many other such incidents. Even today, the report on MH 370 flight came out with a suspicion that the trajectory might have been manipulated. The cars can be hacked as shown by many researchers and breaks may be made to fail. The android phones had a remote management problem that was recently discovered. So, it is in the interest of national security to take cybersecurity seriously.
 
A cybersecurity commission would work independent of the government of the day, like the atomic energy commission or space commission and protect the privacy of citizens, and hold government entities responsible for the breaches. There seems to be no regulatory framework for cybersecurity weakness assessment of any data or the operations of various critical services. The commission should employ cybersecurity experts and not bureaucrats whose cybersecurity knowledge is limited. Also, it seems that most bureaucrats take any criticism personally as can be seen by UIDAI’s response after every data breach. No one can design a cyber-secured system perfectly and those who say they can are not being truthful or are ignorant. So under proper experts, this problem of taking things personally and persistent denial when some privacy concerns are raised will hopefully disappear and more scientific temperament will be there.
 
A recent report published in 'People's Archives of Rural India' highlighted the problems revolving around biometric records of beneficiaries. The report illustrated woes of Lucknow's Parwati Devi whose fingers were damaged due to leprosy. So this waste worker in Lucknow – and possibly thousands similarly afflicted – couldn't get an Aadhaar card too, and without it, she cannot get disability pension or rations as well. What are some technical alternatives which can be used in such critical cases?
 
Well the UIDAI authority would show in the Aadhaar Act, they have kept provisions for such cases and forbade such denials due to lack of biometric authentication. For example, a blind person cannot provide Iris scan, or people employed in labour intensive job may lose the fingerprints. However, the reality on the grounds is different. It seems that providers of the services are not aware of the Aadhaar act, and there is no attempt by authorities to strongly punish those services who deny services due to lack of a biometric match. This is really an implementation problem, and without the authorities making all such service providers aware of the specific provisions of the Aadhaar Act, and levying penalty on such service providers when they do not abide by the law – this cannot be handled.
 
The alternative to biometry is often OTP sent to the registered mobile of the user – but for a poor person – not having a mobile phone or someone who changed mobile number this won’t work.
 
While a lot of people are unable to get Aadhaar card due to these reasons, a lot of fake Aadhaar cards are getting created by various follies of the enrolment software.
 
So I think this biometry based identification and authentication was abandoned by UK and other countries just because of these kinds of situations. I will stick to my point that using biometry which cannot be changed when compromised unlike password which can be changed if compromised, is a really bad idea.
 
Just some days ago TRAI Chairman R S Sharma put out his unique ID on Twitter with a challenge to anyone who could "do any harm", this came as an attempt to showdown critics of the Aadhaar system. Following this, some self-claimed hackers replied to him with his personal information. While authority has denied of Aadhaar breach as information shared was available in the public domain. What is your reaction to Mr Sharma's challenge?
 
As I said before, UIDAI always responds that the database they maintain is safe – but it does not matter. Why does a UPS mailman ask for a copy of my Aadhaar? Because his boss does not trust him and wants my Aadhaar copy to believe he delivered. But if my Aadhaar number is known to him the first time, he can easily make a fake Aadhaar and from then on never deliver my order, and just show his boss a copy of my Aadhaar. This has come to that kind of stupidity in the country – mindless use of Aadhaar everywhere. The reason for this is some even educated people with vested interests such as Mr. Sharma tells citizens that Aadhaar is flawless and promotes its use everywhere.
 
Another defence we heard from Mr. Sharma and his supporters is that the personal information the hackers showed within hours of knowing his Aadhaar number was all in the public domain. First of all, that itself is no defence because that means he is one of our regulators do not take data privacy seriously. Why is making his mobile number which he also uses as registered mobile for Aadhaar public? Does he not know fake SIM based attacks? He was lucky that white hat hackers who responded to him did not go beyond legal limits – they can exact much more harm to him than they did as they usually do not go beyond legal limits. But at the same time, he should be aware that many black hat hackers also saw his tweets and might be working in silence and he will know it sooner or later but it may be too late.
 
The simplest kind of attack that he faced was connecting the dots of various disparate sources of public information easily as every piece of information now is somehow attached to Aadhaar number and that too because of him and his allies. Someone even faked his Aadhaar card with simple software and used it to make accounts in his name in cloud hosting services. They could also run an illegal site on that host in his name – and get him into trouble. Of course, being connected to government – nothing of that sort probably happen to HIM, but if regular citizens do not treat their Aadhaar number as sensitive information following his lead, they might get into serious trouble like that.
 
Last night, Mr. Sharma said that he is getting 100s of Aadhaar authentication request message on his phone which is draining his mobile battery – that is called a denial of service attack. Any student of cybersecurity knows of this kind of simple threat models because it can be done with IoT devices, mobiles and many other devices. Why did he not think of this before making his Aadhaar number public? That shows how little he knows about cybersecurity, and little knowledge is a very dangerous thing.
 
Following the challenge, a Twitter user put a thread mentioning that he made a fake Aadhaar of R S Sharma with the available information and digital platforms like Amazon have accepted it as an identity proof too. Doesn't that mark a feeling grave disquiet among citizens?
 
Yes, indeed. He misled citizens and if others do the way he did – and they do not have the government muscle power that he has – they could jeopardize their identity and life in many ways. It was absolutely imprudent and irresponsible message to send to people, and a lot of white hats got back at him for that. But who knows what black hats are plotting silently against him. We will know in the coming months.
 
Dylan Curran, a data consultant and The Guardian contributor spent three weeks studying FreeHacks, one of the dark web’s biggest platform for hackers. He found that nothing is safe- from passports to credit cards. What is your opinion on the dark web with regards to the vulnerability Indian digital identifiers are facing?
 
Most advanced governments such as Israel, US, UK, Russia monitor the dark web as it is those dark edges of the Internet which are not accessible via google search or any other easy means. They are known to users of the dark web and one has to access those through anonymous proxies such as Tor. There are some hacker channels which are pretty innocuous but there are deeper channels that are outright illegal stuff. Silk-road is the most infamous dark web activity that was dismantled by FBI – people were doing illegal drug business and apparently even paying professional assassins through that.
 
As I said – while UIDAI and other Indian authorities often have been very unkind to white hat hackers – they are actually the ones who are showing them what is wrong and what should be improved. But black hat hackers congregate on the dark web and discuss these vulnerabilities and I won’t be surprised that Mr. Sharma is a subject of plots in the dark web discussion forums by really talented but criminal hackers.
 
A 2017 compendium drafted by UIDAI on Aadhaar observed that Aadhaar can now be de-linked from any account. Is it necessary?
 
I think if it is enabled – people should delink. But the problem is that most entities like banks, mobile phone companies, insurance companies and anyone else who took your Aadhaar data via e-KYC have already seeded their local databases with Aadhaar. Much of that might not even be under the jurisdiction of UIDAI. You may de-link your data from the UIDAI servers if they allow, but the monstrosity enabled and created by UIDAI over the last few years will not go away easily, and our citizen’s data privacy has been compromised for good.
 
This is really treacherous territory – and it is really unfortunate that our bureaucrats and politicians forced it down our throat and now they cannot save us from the consequences.
 
As per our records, there are at least hundred Aadhaar enabled frauds recorded between March 2012 and April 2018. Many of cases include forging Aadhaar. Some cases also saw verified agents providing Aadhaar on fake supporting papers. Last year, a Pakistani national was arrested from Haryana with a forged Aadhaar card. Incidents like these also question Aadhaar's credibility. So, should there be a similar Aadhaar application system like Passport Seva Kendras (PSK)?
 
There are Aadhaar enrolment centres – and last year UIDAI stated that they will close down all small enrolment centres and only will allow post offices and banks to be enrolment centres. But the passport is not so universal as the majority of our population do not go abroad ever, so passport seva kendras are in big towns and large cities. They made Aadhaar mandatory for everyone – so making seva kendras at the same sparsity as passport kendras won’t suffice. They have to do it much more locally and then the same problem of forgery will happen. So, I think the best is to declare Aadhaar as a bad idea and go for a different model of digital identity.
 
If you say that you need a nationwide ID to collect birth and death data, our federal system is completely broken. So is our local governance. Such records should be kept at the district level, and consolidated at the state level, and the central level database should get feeds from state databases. Of course, one can imagine a project to computerize such registration system in that hierarchical setup. But doing it through a national identity is basically undermining the federal structure, and also centralization intent based. I do not see why Aadhaar is needed. It seems a posterior justification of draconian Aadhaar system.
 
Instead, laws should be strengthened to ensure that all district administrations and state administrations have enough IT-enabled systems to feed into the centre’s database on the birth/death and other life events. In fact, such data need not reveal the identity of the persons -- if public health policy decision is the aim of such a system.
 
Again, adding educational data through Aadhaar suffers from the same issue - education is a state subject - and already there is too much centralization (NEET vs. state medical entrance exams). If the answer to all corruption is to centralize and intrusion into local governance -- then our system of governance is broken and requires a new constitution.
 
To me, identity should be hierarchical -- not a flat structure. The local government is in a better position to provide identity to a person and then it should be collected from local governments as an when required. I think my biggest problem is that the centralisation and thereby exercising control. I read somewhere that the Aadhaar of the journalist was blocked who showed on TV that with a fake name he could register himself twice? I can understand if UIDAI had filed a police case against him and let the judges decide the punishment - which he did - but on top of that like a tyrant he blocked his ID -- and if this is the only ID one can function with - this person is disabled in all functionality and livelihood. This should be illegal to do so by local governments, but then the person can appeal to the next higher authority and get the ID unblocked. But if there is this flat central structure whom can he approach?
 
I think PDS should also be hierarchical as was originally designed. Of course, corruption and middlemen need to be cut out through IT-enabled mechanisms but I think Aadhaar is harmful to PDS itself and also harmful for citizen rights.