[kcsomisetty]

I expected better discussion on HN (apart from sensationalist articles), the article does a poor job intentionally though.

Summary

1. Existing data is not compromised

2. Duplicate data can't be entered or overwritten

3. BUT, ghost accounts can be created easily.

Aadhar was introduced to fight ghost accounts who siphon off subsidies provided for poor. This hack/patch defeats that purpose.

I still think this is not a big problem as it looks on surface, if Enrollment software is hacked to accept iris data from photograph,

Can't the Aadhar DB (post enrollment) be scanned for all enrolled iris data with poor quality iris data and they be monitored and deleted ?

Another problem is still there, what if the operators enroll citizens from a different country as indians, essentially creating ghost accounts (from citizens of different country). i dont know how to stop such a situation.

Biometrics is never a good model for authentication, i dont know what these people were think when they designed it.

[iamshs]

Two points:-

1. Surprise, there's a separate $10 application which can access all the Aadhar database entries. Exposed by one of the journalists of this story, for which she got a police case filed against her. [a]

2. Aadhar has no way to verify double entries, one whistleblower to Supreme Court said the database has 40% bogus entries, i.e. 450 Million fake IDs. Yes, no verification backup documents, no signup forms exist for 40% entries in the database, and authority has no way to audit them. [b]

a. https://www.tribuneindia.com/news/nation/rs-500-10-minutes-a...

b. https://ia802809.us.archive.org/26/items/Aadhaar_Whistleblow...

Bonus: Aadhar database was at one time hosted in US with FTP password being Admin$12. This is the state of this sham project. https://imgur.com/a/2sppFrm

[shripadk]

> 1. Surprise, there's a separate $10 application which can access all the Aadhar database entries. Exposed by one of the journalists of this story. [a]

Can the said journalist just release the application in public domain? If not, why not?

> 2. Aadhar has no way to verify double entries, one whistleblower to Supreme Court said the database has 40% bogus entries, i.e. 450 Million fake IDs. Yes, no verification backup documents, no signup forms exist for 40% entries in the database, and authority has no way to audit them. [b]

If authority has no way to audit them then how did the whistleblower arrive at this magical "40%" figure.

What's worse than the 40% figure is the way the entire letter is written. No way a professional would write a letter with all caps, typographical errors, paragraphs upon paragraphs of sensationalism with little to show for "proof". Even the table which shows the details of "AadhaarCount v/s Aadhaar Records" is not something available in public domain so it cannot be validated as authentic.

> Bonus: Aadhar database was at one time hosted in US with FTP password being Admin$12. This is the state of this sham project. https://imgur.com/a/2sppFrm

I have seen this crop up in every discussion but no where in the screenshot does it say that the data hosted in US was the "Aadhaar database". All this screenshot details is some files were hosted by the UIDAI team on a US based server to share among themselves. The files could be anything. In fact, the email itself says the files are flat files with names:

1. Bill_Desk

2. Total_EXP

How did you arrive at the fact that this is the Aadhaar database itself? I can easily assume that "Total_EXP" can mean total expenses and "Bill_Desk" to do something with bill desk. No where does it say "Aadhaar_DB" or something along those lines. This is laughable!

Also, this same screenshot exists in the so called "whistleblower's letter" to Supreme Court judges as well. There is no confirmation of any such correspondence by the Supreme Court judges about being in receipt of any such letter.

Sorry to say but the way the entire letter is written screams of fake news you typically forward through WhatsApp only to realise later that the entire story was fraudulent to begin with.

[iamshs]

>Can the said journalist just release the application in public domain? If not, why not?

Pretty simple. Do you want everyone in the world to have access to the database? Now at least it is hidden through obscurity. This is exactly why in this report the said journalist got it verified by three external experts, one of them a professor.

>If authority has no way to audit them then how did the whistleblower arrive at this magical "40%" figure.

Authority has no way to audit the fake accounts, authority does know for which entries backup documentation exists or not. In fact, he attaches official documentation later on as an evidence.

Forget the grammar, typos it doesn't matter. Ignore the whole of his letter except the official correspondence that is attached and does in fact validate his/her point.

I meant to write Aadhar data. So you are totally over loooking the fact that some of the Aadhar related data was on US servers, and more importantly the password is being relayed over E-mail? Also, no secure way to host the government data, except HP servers?

Government has been so opaque regarding this project that we have to rely on journalists, researchers and whistleblowers to help us with any sliver of info.

Do you have a conflict on interest with this project? I see on your Twitter that you have retweeted some posts from Ministry overlooking this project. Not casting doubt, just needing a clarification due to the tone of your posts in this thread. Sounds very government'ish.

[tchalla]

> I expected better discussion on HN (apart from sensationalist articles)

There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".

> "Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer," Wallach said.

[amf12]

> There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".

OP is not negating the problem. However, the title implies that the existing database has been breached, which is not true. Author could have given a better title which implies that ghost entries could be added and existing data has not been compromised.

[intended]

The whole point of the system is to give a single confirmed Identity for citizens of India.

at this point the purpose of the exercise has been voided.

Saying that "the data has not been compromised" is a red herring, thats the case for when our biomterics are lost and our privacy breached which is a whole different issue with this database, one among many of its other problems.

At this point if the data is crud, whats the point of using this system?

[ppurka]

Actually, having an Aadhar number does not imply that the person is a citizen - this is one of the statements present in the application form itself. So, it is possible for non-citizens to have an Aadhar number.

[lenkite]

So Aadhar is meant for the whole world including our neighbouring citizens (and Intelligence agencies) of Pakistan and China ? Thank you for educating me, I didn't know that. Its truly wonderful and neighbourly that they get the convenience of self-registration without providing proof and customizing their bio-metrics during upload. Only Indian citizens should be held to a higher standard.

[kcsomisetty]

I am not questioning authenticity of report, that is UIDAI to do.

i am questioning choice of title. offlate, i am seeing too many articles about aadhar breach, and when i study in detail, its mostly related to social engineering/phishing attacks stealing OTP/enrolling unsuspecting customers etc.,

I am worried that when an actual breach happens, the people will probably dont care. (cry the wolf?)

[shripadk]

> There are three people across three different parts of the world who corroborate the report - CTO of a global technology group, a security based analyst and a professor of Computer Science. I wonder how this is "sensationalist".

Put out the patch in public domain or at least provide some technical information on the vulnerability itself (by making the said report public).

Every time a story of this sort comes out it inevitably ends in a lot of hand waving and sensationalism: how a reporter got access to a secret WhatsApp group that sells a patch in exchange for 2500 rupees and it allows access to the UIDAI system.

What makes it worse is that we are supposed to just accept whatever this CTO and his two other researcher friends have to say without any way to validate it ourselves. I don't see this happening with any other vulnerability disclosure: be it Spectre, Meltdown or plethora of other exploits which have detailed explanation of the exploit itself. Considering that it affects a billion plus people and as claimed by the article that Aadhaar is "compromised" and "cannot be fixed without requiring a fundamental change in the system" there is no reason now to hold back on technical details.

"This is pretty feasible, and looks like something that would be possible to engineer"

On the one hand you say the patch which can be bought for 2500 rupees already does this and at the same time you use words like "possible to engineer" and "feel pretty comfortable". Since when have feelings and possibilities gotten more prominence than technical explanations?

I'm not saying that the system is foolproof. On the other hand I am waiting for that one article that goes into technical details of the exploit than just sensationalism.

[iamshs]

There's a professor in there too who verified it. Putting the patch out is going to see reporters being jailed and the story being buried. Especially when with the patch we will see 4chan like flaming and the database being filled up with bogus entries from all around the world.

[mathnmusic]

> Can't the Aadhar DB (post enrollment) be scanned for all enrolled iris data with poor quality iris data and they be monitored and deleted ?

Not so easy. Every effort that's made to reduce fraud (false positives), might affect genuine beneficiaries who depend on the system for food, healthcare and education - by increasing exclusion (false negatives). A probabilistic auth platform with a really wide scope is a recipe for failure.

[kcsomisetty]

well, i am neither an expert in analyzing bio metric data, but i know that current government is hell bent on ploughing through our lives. i dont know what will be a better future.

[talonx]

It _is_ a big problem, because apart from the ones you mentioned above, it is unclear how many more vulnerabilities are possible.

[n_t]

Isnt that true for every system?

[pritambaral]

When a system is shown to have fundamental security flaws — this one uses client-side validation to authenticate biometric operators — it is natural one's trust in the system's robustness would drop low.

Like when Intel's chips were shown to completely disregard security when speculatively executing instructions, it wasn't just a new vulnerability; it was a whole class of vulnerabilities that was now open

[kcsomisetty]

Aadhar is not a client side authentication, what is client side even mean in this context ?

[pritambaral]

Please read TFA: "The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers."

The client here is the enrollment software, not "Aadhar" (whatever you meant by that). The Aadhar service should haven been authenticating enrollment operators on the server side, instead of relying on the enrollment software to verify identity (that too by via biometrics, which is NOT authentication).

[kcsomisetty]

Then why does the article claim that aadhar is hacked. why not just call it as aadhar enrollment hacked (which is more appropriate title).

[kcsomisetty]

Isnt that true for every thing around you? just because your bank is not hacked, does not mean it will not be in future.

this is an attitude a system designer should have, allways be on lookout of vulnerabilities.

if media starts writing articles on would be vulnerabilities, then it is just fear mongering.

[talonx]

>> Isnt that true for every thing around you? just because your bank is not hacked, does not mean it will not be in future.

But if my bank is widely reported to be hacked, my trust in it would degrade. And I would probably not trust it with any more of my money. A lot also rides on how the bank responds to this in public.

>> this is an attitude a system designer should have, allways be on lookout of vulnerabilities.

Agree, but that is besides the point here.

>>if media starts writing articles on would be vulnerabilities, then it is just fear mongering.

This is something which has occurred, it's not "would be".