Privacy

by Glyn Moody


Filed Under:
aadhaar, database, hacked, id, identity, india, privacy



Want Anybody's Personal Details From Aadhaar, India's Billion-Person Identity Database? Yours For $8

from the Aadhaar-admin-accounts-also-available-on-request dept

We've been writing about the world's largest biometric database, India's Aadhaar, since July 2015. Over 1.1 billion people have now been enrolled, and assigned an Aadhaar number and card, which represents 99.9% of India's adult population. There are currently around 40 million authentications every day, a number that will rise as Aadhaar becomes inescapable for every aspect of daily life in India, assuming it survives legal challenges. That scale necessarily entails a huge infrastructure to handle enrollment and authentication. So it will comes as no surprise to Techdirt readers that it turns out you can obtain unauthorized access to the Aadhaar system very easily, and for very little cost. As the Indian newspaper The Tribune revealed:

It took just Rs 500 [about $8], paid through Paytm [an Indian online payment system], and 10 minutes in which an "agent" of the group running the racket created a "gateway" for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.

What is more, The Tribune team paid another Rs 300 [$4.75], for which the agent provided "software" that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.

Given the repeated assurances by the UIDAI that the Aadhaar database was completely secure, this is big news, and led to some breathless damage limitation by the Indian authorities on Twitter. The UIDAI explained that: "Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details"; and: "There has not been any data breach of biometric database which remains fully safe & secure with highest encryption at UIDAI and mere display of demographic info cannot be misused without biometric". Although it may be true that this is not a biometric data breach, it nonetheless reveals a serious vulnerability in the system's design, and on a vast scale. According to the original article in The Tribune, more than 100,000 "village-level enterprise operators", hired to help with Aadhaar enrollment, have been offering this kind of unauthorized access to the database. In fact, the problem seems to be even more serious than simply providing login credentials to thousands of people. Here's what another Indian site discovered:

Following up on an investigation by The Tribune, The Quint found that completely random people like you and me, with no official credentials, can access and become admins of the official Aadhaar database (with names, mobile numbers, addresses of every Indian linked to the UIDAI scheme). But that's not even the worst part. Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters -- the Aadhaar database won't ask.

Even if biometric data is not involved, it's hard to see how UIDAI could claim that these aren't breaches of the database, or deny that the entire Aadhaar system is seriously compromised. It's almost inevitable that the security of an important database system will be defeated eventually in some way, since the rewards are by definition so high. The fundamental problem with Aadhaar is its underlying intent -- to create a single, giant database with key personal information about a billion people that can be accessed very frequently and very widely. That's never going to be safe, as the inevitable future breaches will confirm.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 8 Jan 2018 @ 12:13pm

    Oh boy, it's going to be funny to watch when they have to change the citizenry passwords. Oh wait, they won't because you can't change biometry.

    *grabs popcorn*

    This is going to be an interesting shit show.

    reply to this | link to this | view in thread ]

  2. icon
    Roger Strong (profile), 8 Jan 2018 @ 12:51pm

    In unrelated news, Wells Fargo stock value jumps after reports of a billion new users signing up for accounts and credit cards.

    reply to this | link to this | view in thread ]

  3. identicon
    Pixelation, 8 Jan 2018 @ 12:54pm

    "Given the repeated assurances by the UIDAI that the Aadhaar database was completely secure, this is big news"

    It is completely secure...when it's completely shut off.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 8 Jan 2018 @ 1:46pm

    Apparently they outsourced their tech support...

    ...to Bangalore.

    reply to this | link to this | view in thread ]

  5. identicon
    Dan, 8 Jan 2018 @ 2:36pm

    Weakest link :)

    You need to define data breach first. It doesn't need to be a very highly skilled hacking into the system and copying to the wild. It can just be one of the 1000s of weakest links with a login and password :)

    reply to this | link to this | view in thread ]

  6. icon
    Drew_Wilson (profile), 8 Jan 2018 @ 3:31pm

    They Want to Jail The Reporter

    The punchline is that the UIDAI is actively trying to jail the reporter and file criminal charges against the newspaper for bringing this whole thing to light through an FIR: http://www.freezenet.ca/1-billion-people-exposed-aadhaar-data-breach/

    Methinks someone at the UIDAI is embarrassed right now.

    reply to this | link to this | view in thread ]

  7. identicon
    Christenson, 8 Jan 2018 @ 3:59pm

    Re: They Want to Jail The Reporter

    So, can I please have the ID card for the Prime Minister? I want to be him for an hour or two's joyride!

    reply to this | link to this | view in thread ]

  8. identicon
    Deepak, 8 Jan 2018 @ 4:15pm

    Lol. It is not unauthorized access.
    Some official with an authorized access to a customer grievance portal allowed someone to lookup for name and address for a given aadhar number. Do you share your SSN? If others don't have your aadhar they can't lookup your details. Its funny how people interpret this as a compromise of UIDAI system.

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, 8 Jan 2018 @ 5:26pm

    Re:

    Yeah - it's not big deal, nothing to see here - move along.
    They are going after the reporter for other unrelated reasons I'm sure

    /s

    reply to this | link to this | view in thread ]

  10. identicon
    CHIDANANDA KAKUNJE, 8 Jan 2018 @ 6:27pm

    Google has more for free

    If you search by last name or first name there is lot many info available for free, why spend r₹500?

    reply to this | link to this | view in thread ]

  11. icon
    Drew_Wilson (profile), 8 Jan 2018 @ 7:19pm

    Re: Re: They Want to Jail The Reporter

    All it costs if 500 rupees to gain access to the database and an additional 300 rupees to print the cards, so really, the only thing stopping you is a couple of clay pots and getting in contact with whoever was selling that access on WhatsApp, really.

    reply to this | link to this | view in thread ]

  12. icon
    Coyne Tibbets (profile), 8 Jan 2018 @ 8:14pm

    Six Degrees of Separation

    An admin can make anyone an admin?

    I think it is time to give this Six Degrees of Separation thing a trial. All the admins make everyone they know an admin and let's see if we can get the whole planet signed up.

    Can admins demote other admins? If they can, then bonus points if we can lock all of the proper admins out.

    reply to this | link to this | view in thread ]

  13. identicon
    Andrew Watson, 9 Jan 2018 @ 2:22pm

    As predicted ....

    It's all playing out exactly as predicted by the NO2ID campaign when it was fighting the proposed United Kingdom ID card ten years ago:

    https://www.no2id.net/wp-content/uploads/2013/12/database-man.pdf

    https://www.no2id.net/wp-conten t/uploads/2013/12/takejane-

    After an extended narional campaign, we got the UK scheme stopped. Thank goodness.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.