Dr Rakesh Mohan Goyal, a computer industry expert, and an occasional writer for Moneylife, in his affidavit before the Supreme Court had described six vulnerabilities that exists in the Aadhaar authentication ecosystem that can lean or steal or store or share cored biometrics of Aadhaar holder.
Here are the six vulnerabilities as described in the affidavit by Dr Goyal
1. Biometric data stealing from fingerprinting device – as per requirement, all the biometric devices must be Standardisation Testing and Quality Certification (STQC) approved as these must capture fingerprints as per standards and application programming interface (API) defined by UIDAI, so there is no incompatibility. Normally, these devices are smaller than a mouse and are attached to the PC or laptop or mobile phone via USB port. As the Aadhaar user puts the finger on the device, the fingerprint is scanned and the raw image is sent to the PC or laptop or mobile phone for further processing. But, this raw biometric image stays in the device RAM till either next scanning is done or device is disconnected or PC or laptop or mobile phone is turned off. This raw image can be hacked from device RAM, if a hacker accesses the PC or laptop or mobile phone. This is possible either by using a malware or bot. The mobile phone is one of the most unsecure devices. Almost all mobile apps steal various types of data, stored in mobile, which may include biometric data. There are methods to mitigate this risk but UIDAI has not defined the same in its audit checklist and any processes.
2. Biometric data stealing from Iris scanner device – all Iris scanner devices also must be STQC approved as these must capture iris image as per standards and API defined by UIDAI, so there is no incompatibility. These devices are not as small as fingerprint scanners. Seven such devices are approved by STQC as on date. One of the popular devices for authentication capture is Samsung pad. These are also attached to the PC or laptop via USB port or Wi-Fi or mobile data internet connectivity. As the Aadhaar user iris is scanned on the device, the raw image is sent to the PC or laptop for further processing. The raw image stays in the device RAM till either next scanning is done or device power is off. This raw image can be hacked from device RAM, as most of android based mobile devices are open system and most unsecure devices. Most of the apps steal all the data. There are methods to mitigate this risk but UIDAI has not defined the same in its audit checklist and any processes.
3. Biometric data stealing from PC or laptop – After the raw biometric image is transferred to PC or laptop, it is stored in a temporary data variable. From this variable it is further processed into PID, which is another data variable. Then it is encrypted, which sits in third data variable. Then it is digitally signed, which goes into fourth data variable. After that, it is sent to ASA, KSA and ESP to further forward to UIDAI for authentication. Further, the data is also written in cache memory.
In audit checklist, UIDAI specify, “The encrypted PID block should not be stored unless it is for buffered authentication for a short period of time and after transmission, it should be deleted“.
However, according to the affidavit, UIDAI do not specify any treatment for intermediate variables and they contain the biometric data till either next biometric comes or power is off. “Again, a hacker can steal biometric from these variables or cache. The short period is not defined in checklist but defined at website as 24 hours. This is a huge time for a hacker. There are methods to mitigate this risk but UIDAI has not defined the same in its audit checklist and any processes,” Dr Goyal says.
4. Storage of biometric data in temporary storage - In audit checklist, UIDAI specify that “Biometric and OTP data captured for the purposes of Aadhaar authentication should not be stored on any permanent storage or database“.
“I have seen situations, where the AUA argued that UIDAI has barred to store biometric and OTP on permanent storage and not on temporary storage. And the limit of temporary storage and/or period is not defined. This temporary period can span from few milliseconds to months. This so-called temporary storage is potential source for biometric data to be leaked or stolen or stored or shared. There are methods to mitigate this risk but UIDAI has not defined the same in its audit checklist and any processes,” Dr Goyal says.
5. Illegal modification in application – As per UIDAI checklist, the auditor validate whether biometric data is not stored permanently. Dr Goyal says, “We check the code and if found any storage, we ask them to change the application code. But, there is no check and control by UIDAI that the application code, which is audited and approved, will be used further and not changed. Unofficially, as per my knowledge and belief, at least at one AUA, they have modified the code to store the all user data including biometric data, after audit and store it at a place, where no one can check easily. They will replace the audited code when next audit will be due. There are methods to mitigate this risk but UIDAI has not defined any mitigation strategy.”
6. Biometric data theft due to not up-to-date technology and patching – Dr Goyal’s affidavit contends that biometric data can also be stolen due to usage of old technology or non application of security patches by the AUA. “Hackers can easily exploit vulnerabilities in these situations. There are methods to mitigate this risk but UIDAI has not defined the same in its audit checklist and any processes,” it added.
Dr Goyal says, he sent a letter to UIDAI on 9 December 2017, requesting them to define its check-list, methodology, audit-report format, process with QC and monitoring mechanism. You must take advantage of this rich and diversified pool of experience.
“Still after a month, UIDAI is at the same state of rest or motion as per Newton’s first law of motion. This inertia will break only when an outside unbalanced force will be applied. This force may be a security incident and/or government order and/or judicial order and/or sudden wisdom and/or something else,” the security expert added in his affidavit.