[1]: https://thewire.in/tech/uidai-files-fir-tribune-reporter-aad...
[2]: https://timesofindia.indiatimes.com/india/theres-an-orchestr...
Hate the govt all you want, but the Aadhar as you know is started by previous govt. It is if designed properly a good way to eradicate corruption for welfare schemes, so any ideas on how to do that are more appreciated than playing blame game on HN.
So you would colour everything by a certain journal with the same brush, without even looking into the reported claims? In the cited case, the content in the link (and the claim for which they were cited) is easily verified from multiple sources: [1], [2], and [3]. Even when The Daily Mail reports something outrageous and easily verified I verify it, and The Daily Mail is a tabloid.
> Hate the govt all you want, but the Aadhar as you know is started by previous govt.
This is neither here nor there. The "previous govt." was four years ago. In these four years, the current govt. — who used to claim to be staunchly against Aadhaar back then — have turned tail and zealously forced people into registering for Aadhaar and linking it with their phones, bank accounts, and even made it mandatory for kids to attend school. "But four years ago, someone else started it!" is a pointless argument when the current party has far more than enough time to fix it, or even just acknowledge the flaws.
> so any ideas on how to do that are more appreciated than playing blame game on HN.
Criticism is not a "blame game", unless the criticised turns it around and blames someone without accepting or refuting the criticism. Entertaining and listening to criticism IS a good way to improve one's product, not stuffing one's fingers into one's ears and claiming your product is the best ever and "unhackable" and filing police complaints against your critics to silence them.
----
1: https://www.livemint.com/Politics/hZGXG4q43ZeeTp2HH5QlaK/Aad...
2: https://www.tribuneindia.com/news/nation/uidai-responds-afte...
3: https://www.firstpost.com/india/uidai-files-fir-against-the-...
Care to provide any reasoning why you call it a propaganda ?
https://thewire.in/caste/does-india-need-a-caste-based-quota...
Summary
1. Existing data is not compromised
2. Duplicate data can't be entered or overwritten
3. BUT, ghost accounts can be created easily.
Aadhar was introduced to fight ghost accounts who siphon off subsidies provided for poor. This hack/patch defeats that purpose.
I still think this is not a big problem as it looks on surface, if Enrollment software is hacked to accept iris data from photograph,
Can't the Aadhar DB (post enrollment) be scanned for all enrolled iris data with poor quality iris data and they be monitored and deleted ?
Another problem is still there, what if the operators enroll citizens from a different country as indians, essentially creating ghost accounts (from citizens of different country). i dont know how to stop such a situation.
Biometrics is never a good model for authentication, i dont know what these people were think when they designed it.
1. Surprise, there's a separate $10 application which can access all the Aadhar database entries. Exposed by one of the journalists of this story, for which she got a police case filed against her. [a]
2. Aadhar has no way to verify double entries, one whistleblower to Supreme Court said the database has 40% bogus entries, i.e. 450 Million fake IDs. Yes, no verification backup documents, no signup forms exist for 40% entries in the database, and authority has no way to audit them. [b]
a. https://www.tribuneindia.com/news/nation/rs-500-10-minutes-a...
b. https://ia802809.us.archive.org/26/items/Aadhaar_Whistleblow...
Bonus: Aadhar database was at one time hosted in US with FTP password being Admin$12. This is the state of this sham project. https://imgur.com/a/2sppFrm
Can the said journalist just release the application in public domain? If not, why not?
> 2. Aadhar has no way to verify double entries, one whistleblower to Supreme Court said the database has 40% bogus entries, i.e. 450 Million fake IDs. Yes, no verification backup documents, no signup forms exist for 40% entries in the database, and authority has no way to audit them. [b]
If authority has no way to audit them then how did the whistleblower arrive at this magical "40%" figure.
What's worse than the 40% figure is the way the entire letter is written. No way a professional would write a letter with all caps, typographical errors, paragraphs upon paragraphs of sensationalism with little to show for "proof". Even the table which shows the details of "AadhaarCount v/s Aadhaar Records" is not something available in public domain so it cannot be validated as authentic.
> Bonus: Aadhar database was at one time hosted in US with FTP password being Admin$12. This is the state of this sham project. https://imgur.com/a/2sppFrm
I have seen this crop up in every discussion but no where in the screenshot does it say that the data hosted in US was the "Aadhaar database". All this screenshot details is some files were hosted by the UIDAI team on a US based server to share among themselves. The files could be anything. In fact, the email itself says the files are flat files with names:
1. Bill_Desk
2. Total_EXP
How did you arrive at the fact that this is the Aadhaar database itself? I can easily assume that "Total_EXP" can mean total expenses and "Bill_Desk" to do something with bill desk. No where does it say "Aadhaar_DB" or something along those lines. This is laughable!
Also, this same screenshot exists in the so called "whistleblower's letter" to Supreme Court judges as well. There is no confirmation of any such correspondence by the Supreme Court judges about being in receipt of any such letter.
Sorry to say but the way the entire letter is written screams of fake news you typically forward through WhatsApp only to realise later that the entire story was fraudulent to begin with.
There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".
> "Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer," Wallach said.
OP is not negating the problem. However, the title implies that the existing database has been breached, which is not true. Author could have given a better title which implies that ghost entries could be added and existing data has not been compromised.
i am questioning choice of title. offlate, i am seeing too many articles about aadhar breach, and when i study in detail, its mostly related to social engineering/phishing attacks stealing OTP/enrolling unsuspecting customers etc.,
I am worried that when an actual breach happens, the people will probably dont care. (cry the wolf?)
Put out the patch in public domain or at least provide some technical information on the vulnerability itself (by making the said report public).
Every time a story of this sort comes out it inevitably ends in a lot of hand waving and sensationalism: how a reporter got access to a secret WhatsApp group that sells a patch in exchange for 2500 rupees and it allows access to the UIDAI system.
What makes it worse is that we are supposed to just accept whatever this CTO and his two other researcher friends have to say without any way to validate it ourselves. I don't see this happening with any other vulnerability disclosure: be it Spectre, Meltdown or plethora of other exploits which have detailed explanation of the exploit itself. Considering that it affects a billion plus people and as claimed by the article that Aadhaar is "compromised" and "cannot be fixed without requiring a fundamental change in the system" there is no reason now to hold back on technical details.
"This is pretty feasible, and looks like something that would be possible to engineer"
On the one hand you say the patch which can be bought for 2500 rupees already does this and at the same time you use words like "possible to engineer" and "feel pretty comfortable". Since when have feelings and possibilities gotten more prominence than technical explanations?
I'm not saying that the system is foolproof. On the other hand I am waiting for that one article that goes into technical details of the exploit than just sensationalism.
Not so easy. Every effort that's made to reduce fraud (false positives), might affect genuine beneficiaries who depend on the system for food, healthcare and education - by increasing exclusion (false negatives). A probabilistic auth platform with a really wide scope is a recipe for failure.
this is an attitude a system designer should have, allways be on lookout of vulnerabilities.
if media starts writing articles on would be vulnerabilities, then it is just fear mongering.
No surprises that the database was compromised. Aadhar is a fundamentally flawed system and nothing will ever be done about it.
In Aadhar enrollment centers, passwords are shared. You might like to introduce an OTP like concept, but phones are shared too. 2FA? nice try, but then people also share answers to security questions. Next what? DNA authentication? Biometrics? guess what none of those are any where near reliable and they are mostly identity related things and not authentication related things.
There is also government policy. Which is lapse. Mostly run by civil servants who understand nothing about technology. IAS is largely a trivia testing exam with focus on things like meeting and group discussion skills. The head of UIDAI recently claimed that data could not have been possible stolen as the data was still in their database :)
This is a phenomenal lapse at every level.
Software is one thing, but if your people have decided to work around it, its basically all over.
We also need to consider the motivations for working around 2FA or any such authentication systems. One is convenience as you've pointed out.
The other, much bigger motivation IMO, is opportunity to make money. As the article points out once enrolment was outsourced (Rs30/enrolment) it was immediately seen a money making venture so a whole bunch of these centres with dubious credentials surfaced. They were entrusted with document verification too so they would happily accept just about any piece of paper as proof of address. Then there was a business of charging desperate people money to create Adhaar account without which they wouldn't get subsidies.
And then they shut down (50,000 or so) these enrolment centres. Did they expect that all those employed at those centres who lost their jobs to not do anything about it!? Of course they would figure out ways to enrol people!!
The database is not known to be compromised.
It's no doubt that Aadhar was a blatant copy of bringing an SSN-type ID in India but failed terribly as the Government was more interested using Aadhar to show their domination rather than put it for actual purpose. Eg: Govt made Aadhar mandatory for Tax filing, India's Top Supreme Court denied. The same thing happened in many instances.
This is a nice lesson, why simply coping a solution from the US can't be made to work in a developing nation because the system and officials are so fragile that they need to be first fixed than the solution itself!
[1] https://news.ycombinator.com/item?id=15796242
In fact SSN use has become more restricted over time, thanks to various pieces of privacy legislation. Meanwhile in India they still don’t have any privacy legislation last I checked, so it’s open season on your data.
Aadhar is ambitious all right — an attempt to assign every every Indian resident a number and use that number as a unique key for almost everything (public or private). The surveillance opportunities this presents is breathtaking.
Of course the good folk at India Stack love this because it enables them to build better apps. Move fast and break things, indeed.
I hate the implementation of Aadhar as much as any person, and believe the architecture is terrible that a patch can allow authentication to be bypassed. And that there could be more vulnerabilities. However, at least in this instance, existing data has not been compromised.
https://thewire.in/government/data-breach-aadhaar-details-gr...
[1] https://www.troyhunt.com/is-indias-aadhaar-system-really-hac...
Who could benefit indirectly from the breach? Could the Indian government turn to Facebook and WhatsApp for help with identity profiling? Is Facebook Indian data held in Indian data centers?
This story will find its way into future documentaries on the history of "Papers Please".
> in February 2018, the UIDAI terminated all contracts with common service centres as well .. Henceforth, only banks and government institutions like the postal service can enrol Aadhaar users. As a consequence, tens of thousands of young men, with rudimentary education but great familiarity with the Aadhaar system, were put out of work.
> In interviews, out-of-work operators claim they can still use the hacked enrolment software to generate enrolment ids (the first step in the Aadhaar registration process) and have tied up with sources working in authorised centres who complete the registration process for a fee.
> ... creates a whole new set of problems and could defeat many of Aadhaar's purported aims, such as reducing corruption, tracking black money, eliminating fraud and identity theft. It also means that the Aadhaar database is vulnerable to the same problems of ghost entries as any other government database
> the Indian government has sought to make Aadhaar numbers the gold standard for citizen identification, and mandatory for everything from using a mobile phone to accessing a bank account.
> Sourcing the patch is as easy as gaining access to one of thousands of WhatsApp groups where the patch, and the usernames and passwords required to login to the UIDAI's enrolment gateway, are sold for as little as Rs 2,500. Payments are made through mobile wallets linked to phone numbers that quickly go dead after the transactions are complete.
This and who will buy those data ?
Everybody scream about the hack but I've never found a comprehensive study over how these personal data are sold, abused. Maybe to break gazillions of FaceBook/github/you-name-it accounts ? Then what, who will use those data ? Thieves ? Criminals ? If it's just that well, that's a minor inconvenience.
If it's secret services of adversary powers, well, that's a whole lot different.
Anybody has facts on that ?
It's only a minor inconvenience if you can sit in a comfortable place and pontificate on Hacker News about these things. Seems like you're not even aware that people have already lost their pension money or bank account balances or didn't get food that they were entitled to and died in the process — everything related to the coercion in the Aadhaar system and how it can be misused by others for fraudulent purposes.
Perhaps your privilege in life is standing in the way of understanding how bad things are with the Aadhaar system. Please search for #AadhaarFail on Twitter, look for articles on scroll.in and thewire.in (two sites that some people do hate) and rethinkaadhaar.in.
The most probable beneficiaries are food/gas etc., distributors. Pre Adhaar days they used to create fake ration/gas cards and sell food at un-subsidised prices in black market.
A prime (purported) driver for Adhaar to stop creation of these ghost people. Now that ghost Adhaar accounts can be created (per the report) these distributors will get back to their old ways of making money.
India has lot of poor people so the threat vector isn't yet FB/github :-).
http://210.212.23.57/online/OnlineApply/Notice.aspx
They just made aadhar mandatory for every school kid in Mumbai Maharashtra. Good luck to anyone who has to share share their childrens details on an insecure platform.
Seems like they are well aware of this hack.
Skimming through the article, it seems the attacker can register himself in the system but not read data from the system. Also, there's no mention of 1.2B records being compromised.
While I still dislike citizen's database, I can also see why some kind of person authenticator is needed for country like India. I sat through UIDAI architects presentations, and from what I could tell that substantial thought was given to design. So while I maintain skepticism for such database, I also believe India needs some way authenticate various transactions (monetary or otherwise). SSN is a joke, at least Aadhaar was given substantial thought.
Please - this is pretty much how it works everywhere, nothing unique to India.
Why do you think lawyers, accountants etc in the corporate world get paid so much? Do you remember the U.S president saying avoiding federal taxes makes him smart?
the culture which celebrates corruption
What are you basing this on? There is no question there is rampant corruption, but saying the culture celebrates it is taking it a bit far
I avoid taxes. I contribute to my IRA, donate to charities and deduct my home office space. What I don’t do is evade taxes by not declaring income.
An honest assault on corruption should target the government and parties rather than individual citizens. The work in that department seems to be going the other way though. e.g. https://www.thehindu.com/opinion/op-ed/the-danger-of-elector...
The catch: only residents (not citizens) of India are authorised to have a number. Because one person technically cannot have more than one Aadhaar number (reality: ha!), the theory is that a government subsidy database needs one unique Aadhaar number per beneficiary.
This theory breaks down when you enroll an individual who does not need an Aadhaar number because they are not a resident. That number can be misused by another resident to get a second entry into the database, and it's a perfectly legitimate number linked to an Indian phone number that can receive an OTP and behave indistinguishably from a resident.
Fake enrolments are the equivalent of a hack of the US SSN system that would allow anyone anywhere in the world to make an SSN for themselves. What could they possibly do with that?
> B. Regunath, a software architect who led the team at Mindtree that worked on the project, said a web-based enrolment software for Aadhaar was not practical at the time because many parts of the country had very poor Internet connectivity.
Of course, anyone who put id generating software on these laptops with the expectation that it would somehow remain secret was being extremely foolish. The system should have been designed taking that into account.
And of course, each such laptop must have a unique hardware key that would sign these requests, so copying the software wouldn't compromise anything.
I mean what's with the "Caesar can do no wrong" attitude on this site ?
States are evil. The best possible case is that they might be, at times, the lesser evil.
India has a biometric database with 1B people on it!
... wow ... just wow ...
And adding new people to it is now compromised by a publically available hack, although getting 1B biometrics on board must have had an error rate that would be scary anyway.
The UUID created is needed almost everywhere, like driving license numbers elsewhere.
How much of the scare is "People can be added once but under incorrect names" perhaps wiping out criminal pasts? or "people can be added more than once"
The second is surely a search problem?
At least Apple, etc, keep the a hash of the biometric data in a secure enclave on each device. Storing biometric data in a centralized database is beyond reckless, no matter who does it.
The ability to add people is problematic - once you have unverified additions, you can't trust whether even real biometrics were used for it, so it wouldn't even necessarily show up as a duplicate.
Search: Biometrics matching has a lot of failures (5% of 1billion is still a huge number).
Most governments of foreign countries I have visited (US, many parts of Asia) have my fingerprints. The Australian government doesn't (to my knowledge, anyway).
There are restrictions on how vast this database is allowed to be and what all it can be linked to, in most cases.
I guess the search is only limited to these zones.
What is not covered in this article is that all data from client (even if compromised) is validated by a completely different system on the server-side (any decent system does this and so does Aadhaar) and the client too has undergone maybe 20 revisions to add features/fix issues - again typical of any software. The latest version of the client software, I am told, entirely boots off a secure external storage. Now, older versions might still be i use on the field. The Enrolment client software has provision to force upgrade the software and go to the extent of locking up and not allow any new enrolments. The server counterpart can also check and reject enrolments from previous versions of client software. All of this was shared to the same reporter and you can see how much (or how less) of it was actually covered in this fact finding exercise. Press has the ability to tell the truth or sensationalize, these guys chose the latter.
I went to a regional passport office to get my Aadhar card about 2 years ago. I sat in front of a desk with an employee - she was logged in to a website to that let her upload my picture/biometrics and info into the Aadhar system. The desk had a post-it 3 feet away from me with the login username/password written on it.
Since the operators also need to verify biometrically to login, that alone wouldn't be enough to hack it. But if you think about the general level of understanding of IT among the public, and probably even the people who wrote the software, its pretty unsurprising to see it hacked.
Even so, I don't think its really possible for a huge entity like the government (or even a large company) to learn all the practices around security/technology without making mistakes and learning under situations with real consequences. As long as they learn from these mistakes and accept failure, rather than trying to cover them up, we will get there in time.
That's probably why this article doesn't mention it.
Aadhaar needs something like TrustRank or a Web Of Trust where identity and citizenship isn't binary but a continuous number (probability) based on who and how many vouch for your identity. A lot of citizens, especially in rural areas, aren't documented very well. It's best to acknowledge that uncertainty in the system and deal with it.
The public discussion around Aadhaar is very confused. There's hardly anything wrong with a universal ID for every citizen. There are already several in India (Driving License, Passport, Voter's ID, PAN card, etc.). The real privacy issue is around (a) the govt. collecting biometric data, and (b) how much the govt. / third-party service provider learns about you when you authenticate your identity using Aadhaar. The UIDAI doesn't even want to discuss the issue in the open ("trust us, your data is secure. No proof of hacking whatsoever."), and the use of non-open-source software and closed biometric hardware is troubling. If biometric scanners are using proper encryption, who holds the keys? (My guess, the manufacturers have it, and lots of people who shouldn't have it do have it). What's needed is consensus building, maybe through a public consultation, about what the majority of people are willing to disclose to the govt. Biometric isn't an absolute necessity for Aadhaar to achieve it's stated goals. That said, recent polls show that the percentage of Indians who trust their govt. is way higher than in the west, so the govt. can probably get what it wants while playing nice.
There's also very little discussion about how secure the biometrics are. There's no info about what services are considered sensitive and need more than a fingerprint. Fingerprints maybe fine for 5 years, but I have a hard time believing they'll be constant enough for secure identity verification over 80 years. What happens when biometric fails and a significant chunk of the populace can't sign, don't remember their date-of-birth or any password, or even their full name? Again, something like a web of trust would've been helpful.
One of the things people need to realize is this is a bigger bureaucratic problem. It has nothing to do with current or previous government. Previous government pushed this through because it was in their agenda and the current government cried foul. Now the tables have turned.
What this tells me is that there are lot of private interests which are playing a huge role in Indian governance, irrespective of the government. And we as a people getting into petty fights about the nationalist/anti-nationalist debate are losing sight of the target.
Fantastic work! One of the authors of this investigative piece, Rachna Khaira, was key in exposing a major issue with the "last mile" software and how cheaply (just Rs.500/about USD 7) and easily someone could get the Aadhaar and demographic details of almost any resident in the country who's enrolled in the system. [1] UIDAI's response for her investigation was to file an FIR (First Information Report/police complaint) against her in an attempt to put her behind bars. [2]
Activists have always argued that the lack of transparency and information could mean that there are many "ghosts" (or bogus enrollments) in the Aadhaar system (which claims that it cannot have "ghosts", ignoring technological as well as biometric limitations). Now there's no saying how many of the 1.1 billion entries in the Aadhaar system are bogus. As the article states, private agencies were used to handle the enrollment and capture of biometrics and recording of demographic information. All these agencies were paid on a per-enrollment basis. Guess what incentives they would have in a country with high levels of corruption at many levels? I'm certain that a bulk of the enrollments that have been issued Aadhaar numbers are bogus.
While activists may feel vindicated that more and more holes are being exposed in the Aadhaar system (while UIDAI continues to always remain in denial mode), it's sad that hundreds of millions of people have been left vulnerable by this poorly designed and poorly implemented system.
> B. Regunath, a software architect who led the team at Mindtree that worked on the project, said a web-based enrolment software for Aadhaar was not practical at the time because many parts of the country had very poor Internet connectivity.
> "People were cranking up generators just to light up power and do the enrolment. How can they do an online upload of those packets?" asked Regunath, who has since moved to a senior technical position at Flipkart.
What utter nonsense!!! I can't imagine someone calling themselves a software architect being so gullible and ignorant. The entire Aadhaar system is dependent on Internet access and connectivity. Post issuance, the authentication of anyone through biometrics needs real time Internet connectivity. There's no way around that (even where an OTP is generated, the initiation of the OTP sent over SMS by UIDAI has to happen by connecting to UIDAI's web based APIs). Even as recent as last year, people in some places were forced to climb trees because they couldn't get a good cellular signal and Internet connectivity. They were forced to do this because the central government pushed this system as a prerequisites for getting subsidized food (through what's called PDS or Public Distribution System). [3] UIDAI also had Windows XP as a recommended OS for these enrollment agencies. [4]
> In 2017, the UIDAI said it had blacklisted 49,000 enrolment centres for various violations.
The sheer hypocrisy and audacity of UIDAI here is that it has blacklisted all these agencies for violations without any legal action. From the time Aadhaar started in 2009/2010, this number averaged to about two agencies blacklisted every hour! But point out some security issue or a gap? You'll be facing a court case!
_____
This whole system has been patchworks of patchworks of patchworks, continuously in denial mode when experts ask questions on security, audit, privacy, etc. I would prefer that it be completely thrown out, like how UK did with its national ID program several years ago. India doesn't need such enemies from within that/who make it easier for hostile entities/groups to disrupt or decimate the country! UIDAI needs to be shutdown as well, since nobody in-charge of the organization has shown technical or critical thinking ability, or has had the humility to face questions without getting into continuous denial.
The verdict in the petitions against Aadhaar is pending from the Supreme Court. I hope the verdict comes to save all the residents of India, and to save the country itself.
[1]: https://www.tribuneindia.com/news/nation/rs-500-10-minutes-a...
[2]: https://www.firstpost.com/india/uidai-files-fir-against-the-...
[3]: https://timesofindia.indiatimes.com/india/need-internet-to-b...
[4]: https://www.voltairenet.org/IMG/pdf/module3b_installation_co...
https://github.com/gorhill/uBlock
I can be pedantic too and can see how there isn't really a distinction between an exploit and a patch as they both modify the software, but thats a weird colloquialism right?
This massive massive data leak could cost Indian citizens very dearly. Everything is being forced to link with aadhaar.
If some digital lord in future decides to colonize people in few secs, I believe Indian shores and as well as people sitting in capital might provide a very lucrative proposition!
I just hope it isn't Jio! Jio phone itself has very intrusive OS!
here you go
NDTV
https://gadgets.ndtv.com/internet/news/aadhaar-software-patc...
It is on the front page.
It takes mainstream sources a while to react to news. In 24-48 hours, all mainstream newspapers will have the news.
"The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.
The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person."
https://thewire.in/government/data-breach-aadhaar-details-gr...
