Last couple of weeks, we have been learning about social cyber security in the class. It has helped me develop a perspective to look at Cyber Security issues through a socio-technical point of view as opposed to a purely technical one. Last class, one of the batchmates mentioned about Indians being less privacy conscious than American’s and brought up the popular Aadhaar breach incident. I felt like evaluating the incident to see if that had any impact on the privacy concerns of Indian denizens. However, while researching about the breach, I came across an even more serious cyber security incident relating to Aadhaar which not many Indians are aware about. I hope to present the incident and analyses of it from a socio-technical perspective in this post.
The ECMP Bypass
Aadhaar number is a 12-digit random number issued by the Unique Identification Authority of India (UIDAI) to the residents of India after satisfying the verification of demographic and biometric information[1]. After aadhaar scheme was announced by the government, to speed up the enrolment process, the UIDAI signed agreements with multiple parties (private agencies, common service centers) and authorized them to use an enrolment software platform (ECMP) that could be installed on their computers[2]. A contract was given to a company called Mindtree to develop the same. The Aadhaar Enrolment client can be installed on any laptop and is available for public download.
The following security features were added to the software:
1. All operators were required to log in to the software by first providing their own fingerprint or iris scan.
2. Any laptop being used had to first be registered with the UIDAI.
3. A check was added to confirm that the operator was certified.
4. A check to verify whether the enrolment machines were running pirated or un-updated versions of Windows.
5. Each computer used for enrolment was attached to a GPS device to ensure enrolment was done within the physical confines of the authorized centres.
Recently, a widely used patch or crack for this software was discovered which does the following[4]:
1. All biometric authentication disabled. Operators can log in without biometric authentication.
2. Supervisor biometric authentication can also be over-ridden.
3. Login Failure has been patched to allow operators to log in even when their authentication Fails.
4. Iris authentication for operators has been disabled.
5. Login time-out sessions have been removed, to allow an operator to remain logged into the enrolment software indefinitely.
6. A cluster of changes affects time zone functionality. Particularly, a feature that checks if the software is running on Indian Standard Time (one of the ways the software determines location) has been disabled.
7. A tracker, measuring the number of fingerprint mismatches, has been removed.
8. Three changes relate to how the software checks the validity of enrolment packets and syncs with UIDAI servers.
9. The system has been changed to accept Aadhaar numbers that begin with zero and one. (Real Aadhaar numbers never begin with zero or one, so this change is mystifying).
10. A Java integrity check — which checks if the software library has been altered — has been
removed.
Attack Causes
Let us now try to understand what made the attack possible from both social and technical perspectives.
Technical
1. The ECMP client is offline and thus adversary can get access to the application files easily.
2. The process of registering an authorized enrolment operator involves downloading them biometrics onto a certified enrolment computer. Biometric sign-off is an offline process that can be spoofed so that enrolment packets created by the hacked software are indistinguishable from the real thing[5].
3. The enrolment software is written in Java programming language and the source code has not been obfuscated before release to production. As a result, anyone who can download the software has access to the source code through decompilation.
One of the reasons I feel the hack was possible was the attacker’s ability to gain access to enrolment end points and operator credentials. If the end-point access was not available, they could not have observed the security checks at work and devised logic to circumvent them.
The system was designed in an offline model to facilitate enrollments in remote areas of India where internet connectivity is not yet stable. Sometimes, usability hits security in a very bad way.
Social
Let us look at the social aspect through relationships between the adversaries and the Victim (UIDAI).
Two major adversary-victim relationships can be observed in this incident: the relationship between the adversary who developed the patch and UIDAI and that of the enrolment operators and UIDAI.
For the latter, the intent seems to be an economic one. The UIDAI paid the operators less than $0.5 per enrolment. With this they could hardly make minimum wages, therefore having multiple people use their credentials helped them scale the number of enrolments they could make and thus their income. The former, seems to be a persistent relationship with wider intents. The primary intent could be to harm India’s National Security[6]. This could be beneficial for any of the country’s foes and terrorist elements. Since Aadhaar is a way to obtain the identity same as a resident of India, these adversaries are most likely to invest substantial time and resources to find loop holes in the Aadhaar system. Thus, this relationship has an enduring degree of persistence and UIDAI happens to be the unique victim of interest for the purpose. The UIDAI has blacklisted all these private operators and now entrusted only state-run bodies to do enrolment. Therefore, these can be the next broader set of victims for the persistent adversaries.
Thus, we see that this serious high severity incident has been a result of not just technical loop holes but also was driven by social factors. Clearly, while making the system usable for a large diversity of users, the developers here missed the severity of the impact any breach in their system might have on the national security. Incidents like these make me think that there is a long way to walk on the path of usability and security.
In this class so far, we mostly saw different aspects of usability and security on systems of common use. It would be interesting to research the usability dimension for systems like ECMP where any compromise in security a high risk is. On the other hand, any compromise in usability may also render the system unusable for a large section of users. For instance, here the remote villagers might have had to travel to nearby cities for the Aadhaar enrollment if the system was not designed to work in an offline mode.
Sources:
[1]About Aadhaar:https://uidai.gov.in/your-aadhaar/about-aadhaar.html
[2]Illegal Patch Allows Easier Access to India’s Aadhaar Biometric Database:
https://www.bleepingcomputer.com/news/security/illegal-patch-allows-easier-access-to-indiasaadhaar-
biometric-database/
[3]India’s ambitious digital ID project faces new security
nightmare:http://www.atimes.com/article/indias-ambitious-digital-id-project-faces-new-securitynightmare/
[4]UIDAI Aadhaar Hack: New Analysis:https://www.huffingtonpost.in/2018/09/14/uidai-aadhaarhack-
new-analysis-shows-hackers-changed-enrolment-software-code-in-26-places_a_23525828/
[5]UIDAI’s Aadhaar Software Hacked:https://www.huffingtonpost.in/2018/09/11/uidai-s-aadhaarsoftware-
hacked-id-database-compromised-experts-confirm_a_23522472/
[6]J&K Police Arrest Pakistani Militant With Aadhaar Card On Him:
https://www.scoopwhoop.com/JK-Police-Arrest-Pakistani-Militant-In-North-Kashmir-With-Aadhar-
Card-On-Him/#.9xa042lek