Want Anybody's Personal Details From Aadhaar, India's Billion-Person Identity Database? Yours For $8
from the Aadhaar-admin-accounts-also-available-on-request dept
We’ve been writing about the world’s largest biometric database, India’s Aadhaar, since July 2015. Over 1.1 billion people have now been enrolled, and assigned an Aadhaar number and card, which represents 99.9% of India’s adult population. There are currently around 40 million authentications every day, a number that will rise as Aadhaar becomes inescapable for every aspect of daily life in India, assuming it survives legal challenges. That scale necessarily entails a huge infrastructure to handle enrollment and authentication. So it will comes as no surprise to Techdirt readers that it turns out you can obtain unauthorized access to the Aadhaar system very easily, and for very little cost. As the Indian newspaper The Tribune revealed:
It took just Rs 500 [about $8], paid through Paytm [an Indian online payment system], and 10 minutes in which an “agent” of the group running the racket created a “gateway” for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.
What is more, The Tribune team paid another Rs 300 [$4.75], for which the agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.
Given the repeated assurances by the UIDAI that the Aadhaar database was completely secure, this is big news, and led to some breathless damage limitation by the Indian authorities on Twitter. The UIDAI explained that: “Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details”; and: “There has not been any data breach of biometric database which remains fully safe & secure with highest encryption at UIDAI and mere display of demographic info cannot be misused without biometric”. Although it may be true that this is not a biometric data breach, it nonetheless reveals a serious vulnerability in the system’s design, and on a vast scale. According to the original article in The Tribune, more than 100,000 “village-level enterprise operators”, hired to help with Aadhaar enrollment, have been offering this kind of unauthorized access to the database. In fact, the problem seems to be even more serious than simply providing login credentials to thousands of people. Here’s what another Indian site discovered:
Following up on an investigation by The Tribune, The Quint found that completely random people like you and me, with no official credentials, can access and become admins of the official Aadhaar database (with names, mobile numbers, addresses of every Indian linked to the UIDAI scheme). But that’s not even the worst part. Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters — the Aadhaar database won’t ask.
Even if biometric data is not involved, it’s hard to see how UIDAI could claim that these aren’t breaches of the database, or deny that the entire Aadhaar system is seriously compromised. It’s almost inevitable that the security of an important database system will be defeated eventually in some way, since the rewards are by definition so high. The fundamental problem with Aadhaar is its underlying intent — to create a single, giant database with key personal information about a billion people that can be accessed very frequently and very widely. That’s never going to be safe, as the inevitable future breaches will confirm.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: aadhaar, database, hacked, id, identity, india, privacy
Comments on “Want Anybody's Personal Details From Aadhaar, India's Billion-Person Identity Database? Yours For $8”
Oh boy, it’s going to be funny to watch when they have to change the citizenry passwords. Oh wait, they won’t because you can’t change biometry.
*grabs popcorn*
This is going to be an interesting shit show.
In unrelated news, Wells Fargo stock value jumps after reports of a billion new users signing up for accounts and credit cards.
“Given the repeated assurances by the UIDAI that the Aadhaar database was completely secure, this is big news”
It is completely secure…when it’s completely shut off.
Apparently they outsourced their tech support...
…to Bangalore.
Weakest link :)
You need to define data breach first. It doesn’t need to be a very highly skilled hacking into the system and copying to the wild. It can just be one of the 1000s of weakest links with a login and password 🙂
They Want to Jail The Reporter
The punchline is that the UIDAI is actively trying to jail the reporter and file criminal charges against the newspaper for bringing this whole thing to light through an FIR: http://www.freezenet.ca/1-billion-people-exposed-aadhaar-data-breach/
Methinks someone at the UIDAI is embarrassed right now.
Re: They Want to Jail The Reporter
So, can I please have the ID card for the Prime Minister? I want to be him for an hour or two’s joyride!
Re: Re: They Want to Jail The Reporter
All it costs if 500 rupees to gain access to the database and an additional 300 rupees to print the cards, so really, the only thing stopping you is a couple of clay pots and getting in contact with whoever was selling that access on WhatsApp, really.
Lol. It is not unauthorized access.
Some official with an authorized access to a customer grievance portal allowed someone to lookup for name and address for a given aadhar number. Do you share your SSN? If others don’t have your aadhar they can’t lookup your details. Its funny how people interpret this as a compromise of UIDAI system.
Re: Re:
Yeah – it’s not big deal, nothing to see here – move along.
They are going after the reporter for other unrelated reasons I’m sure
/s
Google has more for free
If you search by last name or first name there is lot many info available for free, why spend r₹500?
Six Degrees of Separation
An admin can make anyone an admin?
I think it is time to give this Six Degrees of Separation thing a trial. All the admins make everyone they know an admin and let’s see if we can get the whole planet signed up.
Can admins demote other admins? If they can, then bonus points if we can lock all of the proper admins out.
As predicted ....
It’s all playing out exactly as predicted by the NO2ID campaign when it was fighting the proposed United Kingdom ID card ten years ago:
https://www.no2id.net/wp-content/uploads/2013/12/database-man.pdf
https://www.no2id.net/wp-content/uploads/2013/12/takejane-
After an extended narional campaign, we got the UK scheme stopped. Thank goodness.