An aggressive UIDAI sets itself up for a forced, public security audit

Sriram Sharma January 12, 2018 6 min

The UIDAI citizen identity project is now facing the Streisand effect, with increased scrutiny from international security researchers following a Tribune investigative report, which revealed an access level breach last week. UIDAI, short for Unique ID Authority of India, was widely seen as losing the plot, with denials and opaque statements followed by an FIR filed at the journalist. With news coverage from around the world, comments and critiques have come from Edward Snowden, Wikileaks, and a host of other security professionals.

“Anyone got the India Aadhaar database?”, asks an anonymous member of a dark web forum named “Intel Cutout” in its Leaks and Databases sub-forum, a day after the Tribune story was published. Aadhaar is the name of  the ID project.

A dark web forum user asks if the Aadhaar database is available, a day after the Tribune story appeared.

With all the international attention on UIDAI, it could become a honeypot for cyber criminals, as its APIs are open publicly to anyone, warns a security researcher, who did not want to be named. Aadhaar APIs can be accessed through third-party AUAs (Authentication User Agencies) such as Aadhaar API, provided by Quagga Tech and Aadhaar Bridge, run by Khosla Labs.

Troy Hunt, creator of haveIbeenpwned, a data breach notification service, says that the UIDAI database makes for a natural target. “A site of that significance would be under constant attack anyway, I don’t think this would have really changed that,” he says, over a DM chat on Twitter.

Hunt is widely considered an authority on data breaches, and has written a lengthy guide on how organisations should, and shouldn’t, handle breach disclosure. In his latest analysis, he critiques UIDAI’s security posture and its claims that Aadhaar cannot be hacked or breached. He urges the UIDAI to use HSTS (HTTP Strict Transport Security), getting a Certificate Authority Authorisation (CAA), and adopting a content security policy. HSTS is a response header that tells web browsers to only access the site using HTTPS, instead of HTTP. A CAA keeps a record of certification authorities permitted to issue certificates for your domain, with an aim to prevent misuse. A CSP helps site owners set rules for content types (Java, CSS, audio files etc) allowed to load on a website.

When security by obscurity fails

In recent news, mobile security researcher Robert Baptiste, who goes by the handle Elliot Alderson decompiled the mAadhaar app on Android, sharing findings on security vulnerabilities over a series of tweets. The mAadhaar app allows users to carry a digital copy of their Aadhaar card as identity proof on their smartphones. The app has over a million downloads on Google Play since its release in July 2017.

Alderson, a French citizen, is known to freely disclose his findings on Twitter. In the past, his tweet storms have OneplusMakeMyTrip, and Xiaomi’s apps, among others. His research often gets picked up by publications covering the information security space.

Alderson exposed the database password and salt (random characters used to hash a password) of a local database used by the Android app, which would let a hacker in possession of the phone extract the user-created password and access Aadhaar details. Android apps allow the developer to put their data into a small local database within the app. “They used a local database in their app which is a common practice. They stored the hash (a fixed length value created using algorithms) of the user password inside ,” says Alderson, over a DM chat on Twitter. “This database is protected with a password, but the way to generate this password is poorly written, and this is the same for everybody. I made a PoC (proof of concept) to illustrate that,” he adds.

What this essentially means is that an attacker in possession of an Android smartphone could bypass the password protection of the mAadaar app, and access identity details in the app.

However, biometric details are not stored in the mAadhaar app, UIDAI later clarified, in response to his tweets. To which Alderson pointed out that the app is storing a profile photo of the Aadhaar holder on the app’s database, which is considered biometric information.

“I think this has been making the rounds for a while,” says an Indian security researcher, who didn’t want to be named. Indian information security experts for the most part have been shy of publicly disclosing vulnerabilities around Aadhaar, due to fear of reprisal and legal entanglements. It doesn’t help that the UIDAI project doesn’t have a formal vulnerability disclosure policy or a bug bounty program yet. “UIDAI is working on a policy to enable security experts to report issues in a legal and safe manner,” UIDAI CEO Ajay Bhushan Pandey said in a tweet in August 2017, though there has been no announcement on this so far. Currently, the process is to email the report to the UIDAI CEO, Dr. Y. L. P. Rao; Deputy Director General & CVO; and Davesh Singh, ADG Tech., listed on the UIDAI website.

On a Reddit thread discussing the mAadhaar vulnerability, we found users discussing the exploit and how it could be taken advantage of. “The API endpoint uses unsecured access (http, not https). Which means anyone on the connection between the app and the server can peek in and/or modify the data going over the connection,” a Redditor says, discussing a potential man-in-the-middle attack.

Others are discussing ideas on breaches that would undermine the UIDAI’s project. “Minister’s data should be pasted on the internet. Lets see how safe they think it is then,” reads another comment. “I predict someone will use the leaked Aadhaar to publish all the BJP trolls’ data and accounts. Only then will they learn,” reads another.

Reddit users discussing potential exploits on the mAaadhaar app, based on Alderson’s findings.

UIDAI has added a long suggested security measure — on Wednesday, it announced a  Virtual ID system, an optional feature that offers a temporary 16-digit number which can be used for authentication in place of the Aadhaar number. Another feature, Limited KYC, will provide local AUAs with a unique 72-character alphanumeric ‘UID Token’ in place of the Aadhaar number.

Many voices in the infosec community have called for a full-fledged end-to-end security audit UIDAI. Even if an audit or bug bounty program is not forthcoming, it seems like security researchers won’t stop probing Aadhaar’s weaknesses and holding a public trial. In his latest tweets, Alderson is currently schooling Khosla Labs, which runs Aadhaar Bridge, an Aadhaar-based authentication service on how to use git.


Updated at 1:24 PM on January 12 2018 after it was brought to our notice that there are two other point of contacts to disclose email vulnerabilities. Further updated at 11.25 AM on January 15 to correct a typo.

Disclosure: FactorDaily is owned by SourceCode Media, which counts Accel Partners, Blume Ventures and Vijay Shekhar Sharma among its investors. Accel Partners is an early investor in Flipkart. Vijay Shekhar Sharma is the founder of Paytm. None of FactorDaily’s investors have any influence on its reporting about India’s technology and startup ecosystem.