The french security research, Baptiste Robert (alias Elliot Alderson on Twitter), brought India’s data security issues into the limelight again. This time he hacked into the Aadhaar app, bypassing the programs password protection protocol within a minute.
The Internet has been in an uproar about how someone can so easily gain access to twenty thousand card specifics in the span of a day.
Speaking to IndiaToday about the vulnerabilities of the Aadhaar app, Robert said, “These cards can be found on the internet. Everything is public, no hack is required. You only need to use Google. These cards have not been found on the UIDAI server.”
Addressing the Aadhaar app in particular, Robert stated, “The main issue with the Aadhaar Android app is that if an attacker has a physical access to the device, he can easily bypass the password mechanism they put in place in the app.”
In their response UIDAI claimed, “Simply knowing someone's Aadhaar, one cannot impersonate and harm the person because Aadhaar alone is not sufficient to prove one's identity but it requires biometrics to authenticate one's Identity.”
Robert retorted, “They (UIDAI) also said that the Aadhaar card is an identity document which is inconsistent with their statement.”
Basically meaning to address the fact that as long it can be used to establish your identity without biometric verification, the vulnerability of that information poses a serious threat.
To protect users Robert has said, “It's complicated, first don't use the Aadhaar Android App at all, be cautious when you give your Aadhaar card to anyone.”
Which, is fair enough because a good system can only be successfully implement when there’s faith in its security.
Meanwhile UIDAI has published an onslaught of tweets explaining how the Aadhaar system isn't vulnerable at all and hasn't been hacked in eight years.
Earlier this month, Robert hacked into two BSNL portals, gaining access to sensitive employee data and has been warning the concerned departments of the government where their data is unsecured. He’s been known to reach out to the Punjab Police, Telangana Government, Paytm and the Indian Postal Service among many others. Most recently, he highlighted how patient data is at risk through the Apollo Hospitals website.
Ethically, Robert has been communicating with the concerned organisations on Twitter itself keeping things open and transparent. He’s even publicly said that he’s not in it for the money, but to make data safer for users.
- The 10 most common cybersecurity scams uncovered
- 10 ways a website can betray your privacy
- How to make your VPN more secure