Aadhar Security, Bringing Sticks to a Gun Fight

Credits: Rishi Mohan

Before we begin, let us not make the issue political. Please read this story as a citizen of the country and not as a supporter of any political party. I do not intend to fight people but ideologies. The only thing that matters to me is our safety.

We have been told our data is completely secure and ‘hack-proof’. But, let me tell you, there is nothing in this world which is ‘hack-proof’.

During the Second World War, the Germans used Enigma machine to protect their messages.They could punch in a message (eg.“Food supplies coming from the west”). The machine would produce gibberish, (eg.”A1B2# C3D4$#ED JD@#KK #$%%#”). This is broadcasted over the radio. On the receiving end, when you type the same gibberish, you get back the original message. It was only a matter of time. Alan Turning cracked the Enigma code which played a key role in the defeat of the Nazis.

The inventor of the Enigma machine made some mathematical assumptions. Alan Turing broke those assumptions which enabled him to crack the code. Security is built around such technical assumptions. We have a lot of Alan Turings(hackers) who challenge those assumptions and break them. Such incidents occurred numerous times during in the past. It will continue to happen, that is how we advance. Considering past events how can one call their system ‘hack-proof’?

When you visit Aadhar’s portal, you see buttons, images, information etc. But, a security expert sees things which are invisible to naked eyes. They have seen security flaws and pointed it out several times. They gave solid proof that UIDAI’s security is weak. Their intention is only to strengthen Aadhar security.

When your child does something wrong, you correct them for their own benefit. Sometimes he/she accepts and rectifies their mistake. Sometimes they don’t accept their mistake and cry “I don’t like you”.

We have such a child here, who fail to accept the security flaws and label those who try to help as “Campaigners against Aadhar”.

Bringing Sticks to a Gun Fight

Have a look at the mAadhaar app.

It stores your profile information (Name, Date of Birth, etc). It allows certain functionality such as biometric locking/unlocking and time-based OTP generation.

When you open the app for the first time, it asks you to set a password. Later, you can use the same password to unlock its functionalities. Hence, even if someone steals your phone, they can’t access the app.

A French security researcher downloaded the app. He found something strange.

The password you set while registering is stored in a safe box. Every time, you open the app, it asks you to enter your password, the app then unlocks the safe box and check if they match. If it does, you get access to the app.

There exists a key to the safe box where your password is stored. The key is simply a set of characters like “A233ASD”. If this key is compromised then anyone can access your password and access the app’s functionalities.

The key to the safe box must be unique. Your key and my key shouldn’t be the same. If it is same, I can unlock your phone’s safe box with my key and get access to its functionalities. The French security researcher found out that all mAadhar customers have the same key.

It’s like the Indian government giving its citizens a lock and key to secure their houses. The problem is every citizen has the same exact lock. Anyone can open anyone else’s house with their own key.

I have seen such stupidity in Suppandi stories. Your mAadhar app is presently vulnerable. One can choose to believe it or delude oneself to authorities who say “Your data is completely secure and ‘hack-proof’”.

Original Tweet
Please follow and like us: