SUMMARY
The URLs Of The Aadhaar Document Shared By The Hacker Belonged To The Panchayat Raj, Andhra Pradesh Government Website
Inspired by the popular award-winning cybersecurity-based American TV series Mr. Robot’s protagonist Elliot Alderson’s quote “A bug is never just a mistake. It represents something bigger. An error of thinking that makes you who you are,” an anonymous hacker has now rebuked the Aadhaar security of UIDAI by publishing website links containing thousands of Aadhaar data.
The hacker has also posted a video explaining, “How to bypass the password protection of the official #Aadhaar #android #app in 1 minute.”
The Twitterati had earlier criticised Paytm for asking mobiles’ root-access from Paytm users which the company stopped later. Root access is essentially one of the most significant entry points for any Android device which can manipulate the operating system of the phone.
As Elliot in Mr. Robot had said, “I wanted to save the world”, the vigilante hacker Elliot, in his defence, tweeted, “I want to say something. I’m not against #Aadhaar. Not I’m in favour of Aadhaar. I just think that a project of this size deserves maximum security.”
In recent months, a number of media investigative reports have revealed the extent of the vulnerability of Aadhaar. However, UIDAI, instead of acknowledging the weak spot, started harassing people reporting the Aadhaar-leak.
Responding to the breach, UIDAI had then averred, “Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI”
It had further stated, “the Aadhaar numbers which were made public on the said websites do not pose any real threat to the people as biometric information is never shared and is fully secure with highest encryption at UIDAI and mere display of demographic information cannot be misused without biometrics.”
However, the self-proclaimed French security researcher under the pseudonym Elliot Alderson has published URLs on his/her Twitter profile, which included people’s biometric data as well.
Within few hours, the URL became null and void. However, Inc42 was able to check the accessibility of massive Aadhaar data using web cache before it started showing Forbidden.
The URLs shared by the hacker belonged to the Panchayat Raj, Andhra Pradesh Government site.
UIDAI, however, in series of tweets, has already rebutted these claims. It averred, “UIDAI has dismissed the reports as irresponsible which appeared in a section of social and other media on security of Aadhaar system being questioned on account of a few Aadhaar cards reportedly put on the internet by some unscrupulous elements.”
The mother organisation of Aadhaar further added, “Aadhaar just like any other identity document, therefore, is never to be treated as a confidential document.”
It was the first time that documents containing entire Aadhaar data of thousands of people including their biometric details were easily accessible.
During early breaches, UIDAI had averred, “The existing security controls and protocols are robust and capable of countering any such attempts or malicious designs of data breach or hacking.”
Former CIA employer/American computer professional now turned a self-proclaimed flag bearer of freedom of press Edward Snowden seconded K C Verma, former Head, RAW, India “Rarely do former intel chiefs and I agree, but the head of India’s RAW writes #Aadhaar is being abused by banks, telcos, and transport not to police entitlements, but as a proxy for identity-an improper gate to service. Such demands must be criminalised,”
He had also said, “It is the natural tendency of government to desire perfect records of private lives. History shows that no matter the laws, the result is abuse.”
In January, this year, The Tribune had reported that some unidentified groups were selling the Aadhaar data of over one billion people at just $7.88 (INR 500).
The link shared by these unidentified group on WhatsApp provided the login and password details to access all the necessary details of one billion Indians. One just needed to enter the Aadhaar number, and bang! It showed the rest of the details, claims the report.
After paying $4.73 more, the group even shared the entire Aadhaar software, which one needs to print one’s Aadhaar details.
Further India Today and The Quint, in their separate investigative reports, found Aadhaar nodal agencies were actively involved in trading database for professional uses such as sales pitching etc.
Hence the big question is: passed under the Money Bill, where exactly Aadhaar Aadhaar is heading, in absence of basic laws pertaining to people’s privacy and data protection?
In order to mitigate the chaos surrounding the security of Aadhaar details of the citizen, UIDAI has also announced plans to introduce another measure – Aadhaar face recognition. The move will come into effect from July 1, 2018.
In Supreme Court, a five-judge panel headed by CJI is hearing the Aadhaar case on a day-to-day basis. While the Court has already extended the due date of Aadhaar linking indefinitely, it remains to be seen whether the above-said breach by the hacker Alderson will be used by the petitioners against Aadhaar or not.
