Aadhaar website has basic security flaws, blogs Aussie expert
Hunt is a regional director with Microsoft and regularly holds workshops and hosts courses on information security.
Australian information security expert Troy Hunt on Thursday pointed out a bunch of basic security flaws with the Aadhaar website uidai.gov.in. These included a vulnerability to “man in the middle attacks,” outdated security certificates, and inadequate encryption of data.
In a blog post titled “Is India’s Aadhaar System Really ‘Hack-Proof’? Assessing a Publicly Observable Security Posture,” Hunt clarified that he wasn’t against the idea of Aadhaar, but he said the agency’s “attitude of ‘there cannot possibly be a security problem’ is reckless and needs redressing.”
On analysing the website, Hunt found that it blocked certain users based on their geographical location (a feature known as geo-blocking). Hunt says this can keep basic unauthorised automated attacks out but was a weak measure that was “easily circumvented.” He also found the website vulnerable to what are called “man in the middle” or MitM attacks. These attacks typically involve a hacker taking advantage of the gaps in security when data travels from an access point to the website server. Another security concern Hunt flagged was the security certificate being used by the Aadhaar website. The one currently in use is due to expire for those using the Chrome browser in March this year.
“Aadhaar is complex and it will have flaws just like any other complex software product does. Some of them may be quite serious and they must be treated as such. That will require an open and receptive attitude from the government and above all, acknowledgment that Aadhaar is not ‘hack-proof,'” Hunt wrote, exhorting the Indian government to “move the needle in the right direction” in securing Aadhaar while appreciating the UIDAI’s move to introduce virtual tokens.
Hunt is a regional director with Microsoft and regularly holds workshops and hosts courses on information security. He is also the person behind the popular website haveibeenpwned.com where users can key in their email address to see if it has been compromised.
On why he chose to analyse the website rather than testing the integrity of the database, Hunt said, “It’s the first result on a Google search and time and time again, it’s promoted as the site people should go to before doing anything else Aadhaar related” and that an “entry point must be as secure as possible or else everything else behind there gets put at risk.”
Citing various news reports from Indian news organisations where UIDAI officials have been quoted as saying that Aadhaar data cannot be breached, Hunt pointed out that every system has some vulnerability or the other and is open to attacks or breaches. He pointed to the sophisticated Stuxnet attack on the Natanz nuclear facility in Iran, affecting the country’s highly secure uranium enriching centrifuges. He said that information security cannot be seen in purely binary terms. “It’s not ‘secure’ versus ‘insecure’, ‘safe’ versus ‘unsafe’, rather it is a spectrum of controls that all contribute to an overall security posture. There is no ‘fully’, there is no ‘completely’; every system – every single one – has weak points and a sufficiently well-equipped and determined adversary will find them,” Hunt wrote in his blog post.
While Hunt’s blog came in for rapid circulation online, a Twitter user by the screen name Elliot Alderson and handle @fs0c131y pointed out flaws with the mAadhaar mobile app. He posted a proof of concept on the website Github demonstrating the weakness of the passwords protecting the databases.
Both these interventions come at the back of a recent investigative report from The Tribune showing how access to the complete Aadhaar database could be bought for a pittance of Rs 500. Following the report last week, an FIR was filed in the case mentioning the newspaper, the reporter and the editor.