The french security researcher, Baptiste Robert (alias Elliot Alderson on Twitter), brought India’s data security issues into the limelight again. This time he hacked into the Aadhaar app, bypassing the programs password protection protocol within a minute.
The Internet has been in an uproar about how someone can so easily gain access to twenty thousand card specifics in the span of a day.
How to bypass the password protection of the official #Aadhaar #android #app in 1 minute. For this attack, the attacker need a physical access to the phone, rooted phone is not needed and yes this is the latest version of the app.cc @uidai @ceo_uidai pic.twitter.com/7aZ0fvr0WvMarch 13, 2018
Speaking to IndiaToday about the vulnerabilities of the Aadhaar app, Robert said, “These cards can be found on the internet. Everything is public, no hack is required. You only need to use Google. These cards have not been found on the UIDAI server.”
Addressing the Aadhaar app in particular, Robert stated, “The main issue with the Aadhaar Android app is that if an attacker has a physical access to the device, he can easily bypass the password mechanism they put in place in the app.”
In their response UIDAI claimed, “Simply knowing someone's Aadhaar, one cannot impersonate and harm the person because Aadhaar alone is not sufficient to prove one's identity but it requires biometrics to authenticate one's Identity.”
Robert retorted, “They (UIDAI) also said that the Aadhaar card is an identity document which is inconsistent with their statement.”
Basically meaning to address the fact that as long it can be used to establish your identity without biometric verification, the vulnerability of that information poses a serious threat.
To protect users Robert has said, “It's complicated, first don't use the Aadhaar Android App at all, be cautious when you give your Aadhaar card to anyone.”
Which, is fair enough because a good system can only be successfully implement when there’s faith in its security.
Meanwhile UIDAI has published an onslaught of tweets explaining how the Aadhaar system isn't vulnerable at all and hasn't been hacked in eight years.
It is reiterated that Aadhaar remains safe and secure and there has not been a single breach from its biometric database during that last eight years of its existence. 11/11.March 11, 2018
Earlier this month, Robert hacked into two BSNL portals, gaining access to sensitive employee data and has been warning the concerned departments of the government where their data is unsecured. He’s been known to reach out to the Punjab Police, Telangana Government, Paytm and the Indian Postal Service among many others. Most recently, he highlighted how patient data is at risk through the Apollo Hospitals website.
Ethically, Robert has been communicating with the concerned organisations on Twitter itself keeping things open and transparent. He’s even publicly said that he’s not in it for the money, but to make data safer for users.