Earlier, Free Press Kashmir exposed how Aadhaar data breach was not the only data, that you trusted the government with, that was kept unsecured and vulnerable to abuse. Now, beyond the Tribune story exposing paid agents, getting Aadhaar information for 500 Rupees, we try and look at how easy it is do so.
“Hi Aadhaar. Can we talk about the benefits of Aadhaar for the population of India?’’ A tweet from Elliot Alderson, founder of Fsociety, a French security researcher, should have the Indian Authorities worried.
An expert in data security, Alderson, exposed how Aadhar’s biometric database is in great danger.
— Elliot Alderson (@fs0c131y) January 10, 2018
Although many say that the Aadhaar is here to stay, is the data that the citizens have trusted the government with safe?
— Nandan Nilekani (@NandanNilekani) January 10, 2018
Nandan Nilekani, the Co-founder of Infosys who has also worked on Aadhaar, on January 10 spoke to ET now, hitting out UIDAI critics, saying he’s 100% sure there is an orchestrated campaign on how Aadhaar can be maligned in view of SC hearing on constitutional validity.
But is that so?
According to Alderson, the Aadhaar android app is saving biometric settings in a local database which is protected with a password. To generate the password it uses a random number with 123456789 as seed and a hardcoded string db_password_123.’’
Okay so what does this mean?
To make one understand, whenever one sets the password with a random number as seed, the numbers are randomized in order to create a fresh new password from the given numbers (in this example, it’s 123456789).
So for each time, the password should be regenerated from the shuffling of 123456789. But this is not the case.
Elliott also pointed out that the code is copied from a question raised by a developer on Stackflow.
“Java random always returns the same number when I set the seed?” the question reads. Which further explains that the numbers never get reshuffled so it’s always the same password.
Worse, the API endpoint uses unsecured access of http, and not the secured https. Which means that anyone on the connection between the app and the server can peek in and modify the data going over the connection.
Whether the agents that Tribune story talked about were using the same method, cannot be confirmed, but from the basic nature of the security of it, even your local Mobile fixing booth can do it. It is high time the government takes expert help to secure the data.