Unusual Attempt to Prove Aadhaar Security Raises QuestionsEthical Hackers Claim They Used TRAI Chair's Aadhaar Number to Access More Data
Sometimes efforts to prove a system is secure can really backfire.
R.S. Sharma, the chairman of the Telecom Regulatory Authority of India who's a defender of the security of the nation's Aadhaar digital ID system, attempted to demonstrate that security by tweeting his Aadhaar number on Saturday and inviting anyone to attempt to use it to access his personal information.
My Aadhaar number is 7621 7768 2740— RS Sharma (@rssharma3) July 28, 2018
Now I give this challenge to you: Show me one concrete example where you can do any harm to me!
Then a number of ethical hackers, including Elliot Alderson, Pushpendra Singh, Kanishk Sajnani, Anivar Arvind, and Karan Saini, claimed they were able to use the Aadhaar number to gain access to Sharma's personal information, according to The Times of India. The information they accessed reportedly included his mobile telephone numbers, residential address, date of birth, PAN Number, voter ID number, telecom operator, phone model and AirIndia frequent flyer ID.
Sharma's actions only served to raise yet more questions about Aadhaar's security, rather than to help build confidence in the identifier.
Reason for Concern?
Some Aadhaar supporters, however, brush aside the Sharma incident, contending that no one can make a money transfer by knowing just an Aadhaar number.
Vinit Goenka, governing council member of IT Task Force-Ministry of Railways, insists that the data accessed by the ethical hackers was readily available in the public domain.
Meanwhile, Ajay Bhushan Pandey CEO, of UIDAI, which administers Aadhaar, claims the ethical hackers gathered Sharma's data from a variety of sources. He tweeted on Sunday: "TRAI Chairman RS Sharma had tweeted his Aadhaar number and asked hackers to harm him using this. One hacker tweeted from @fs0c131y that he'd got Sharma's personal details by hacking the Aadhaar database - for cheap publicity. Instead, he'd fetched them from different sources, claiming they were from the Aadhaar data base. He fetched Sharma's mobile number from the NIC website. Sharma was once Secretary of IT, hence head of NIC. He got his date of birth from the Civil List of IAS Officers, which is in the public domain. He got his address from the TRAI Website because he is TRAI Chairman.
Press Statement: UIDAI strongly dismissed the claims made by certain elements on Twitter and a section of Media that they have fetched personal details of Shri Ram Sewak Sharma who is a public servant using his Aadhaar number. 1/n— Aadhaar (@UIDAI) July 29, 2018
"In a digital google world, even without Aadhaar, personal data can be picked from different sources and a profile created. In Sharma's case, no data was fetched using his Aadhaar number from either UIDAI or other websites. They googled his name and got all the information."
Pandey insists that Aadhaar is safe because the servers are secured by a 2,048-encryption key that would take supercomputer more than 13 billion years to crack.
Ways to Secure Aadhaar
Nevertheless, some security practitioners argue that because Aadhaar has become a target for hackers, UIDAI should devise a mechanism to prove the leakage of Sharma's data is not from their system. They also call on UIDAI to consider using new technologies, including digital watermarks, to enhance security.
These practitioners are concerned because of the series of security lapses involving Aadhaar were reported. For example, some security flaws discovered in an app developed by the National Informatics Centre gave a Bengaluru-based software developer access to the Aadhaar numbers and personal details of thousands of citizens.
In another Aadhaar-related data breach, The Tribune newspaper reported that it was able to purchase for just Rs.500 on Whats App a service offering unrestricted access to details tied to any of the more than 1 billion Aadhaar numbers created in India.
And another case involving the arrest of 10 men in Uttar Pradesh for allegedly cloning fingerprints of authorized Aadhaar enrollment officers stirred debate over whether it's wise for India to rely so heavily on Aadhaar for authentication.
The newly drafted data protection bill, released Friday, recommends amendments to the Aadhaar Act to bolster the right to privacy of individuals and enhance multifactor authentication for Aadhaar enabled transactions.
UIDAI may be secure, but third-party vendors and service providers who increasingly accept Aadhaar as a key document can also inadvertently enable data leakage, vulnerabilities and misuse.
A comprehensive security policy, not a cosmetic data protection framework, is required to safeguard Aadhaar.