The UIDAI's ambitious Aadhaar project is the world's largest biometric database with whopping 111 crore people of the total 125 crore Indians already connected with the identity scheme. While there's no doubt the Aadhaar system makes it easy for the government to rollout benefits that can reach the masses effectively, can the government guaranty the safety of this behemoth database?
On Wednesday, a French security expert, who goes by the name Elliot Alderson on social media but his real name is Baptiste Robert, posted a video on Twitter, saying "How to bypass the password protection of the official #Aadhaar #android #app in 1 minute". In this video, the hacker explains flaws in the UIDAI's mobile app, saying how one's Aadhaar information can be obtained by bypassing the password mechanism in the app.
How to bypass the password protection of the official #Aadhaar#android#app in 1 minute.- Elliot Alderson (@fs0c131y) March 13, 2018
For this attack, the attacker need a physical access to the phone, rooted phone is not needed and yes this is the latest version of the app.
Recently, Robert had claimed to have got access to over 20,000 Aadhaar account details by doing a simple search on Google. Explaining his claim, Robert told India Today: "These cards can be found on the internet. Everything is public, no hack is required. You only need to use Google. These cards have not been found on the UIDAI server".
On his claims to have gained access to the Aadhaar accounts, the UIDAI has issued a statement saying "by simply knowing someone's Aadhaar, one cannot impersonate and harm the person because Aadhaar alone is not sufficient to prove one's identity but it requires biometrics to authenticate one's identity".
UIDAI has dismissed the reports as irresponsible which appeared in a section of social and other media on security of Aadhaar system being questioned on account of a few Aadhaar cards reportedly put on the internet by some unscrupulous elements. 1/n- Aadhaar (@UIDAI) March 11, 2018
On this, Robert said: "they (UIDAI) also said the Aadhaar card is an identity document which is inconsistent with their statement". Meanwhile, he advised people not to "use the Aadhaar Android App at all, be cautious when you give your Aadhaar card to anyone".
The debate around the Aadhaar data safety in India is going on for long. Time and again, several loopholes have also been identified in its system. The government has tried to assuage the fears by introducing new layers of security to make it "safe and secure", but fears over data breach refuse to die down. The government is already hell bent on making Aadhaar mandatory to avail any service possible. But the Supreme Court, which is hearing a case on the Aadhaar's constitutional validity, has told the government not to "insist" people on connecting Aadhaar with services like bank accounts, mobile, etc, till the final verdict on the case is pronounced.
On January 4, a report published in The Tribune showed how its correspondent "purchased" a service from an anonymous seller on WhatsApp by paying Rs 500 via Paytm. Within minutes, the agent provided a login ID and password to a portal where the correspondent could enter any Aadhaar number and gain instant access to all of its details including name, address, phone number, photo and email.
As 'Data is the new oil' phrase becomes fashionable, there is a strong fear among people that linking Aadhaar with each and every system, which makes you compatible to live in society, could pose a danger to their identity and safety. The Economist in its report last year had observed how data as "a new commodity spawns a lucrative, fast-growing industry, prompting anti-trust regulators to step in to restrain those who control its flow."
On Tuesday, Robert had also highlighted that Paytm, India's largest e-payment service app, was asking the users' permission to have 'root access', which he claimed, allows Paytm to have full access to their mobile phone, including contacts, pictures, and chat details, among others. However, Paytm issued an immediate clarification saying it sought 'root access' because it's mandated by the umbrella body, NPCI (National Payments Corporation of India). "We are still checking if a device is rooted or not but the method has changed with a different coding. While the earlier method was foolproof, the latest one means to check if a device is rooted or not with a success rate of about 70-80%," a Paytm spokesperson said.