Is GOI's National Informatics Centre also culpable for Abhinav Srivastav's Aadhaar data hack incident? - Alt News
Alt News Desk
11th August 2017 / 9:57 am
There are three people. Person A, Person B and you yourself. Person A somehow manages to get the login details of your email account, i.e. username and password, and writes it down on a piece of paper and stores it in a place which he/she considers is secretive enough, but it really is not. Person B manages to find that piece of paper which Person A had hidden, accesses your email account and misuses the information for his/her personal gain. Aren’t both Person A and Person B equally culpable in this little story?
Recently, a 31-year-old MSc graduate from IIT-Kharagpur, Abhinav Srivastav, was arrested for allegedly stealing Aadhar data. If an analogy were to be drawn between the story in the first paragraph and this incident in which various sections of main stream media are claiming that Srivastav ‘hacked’ Aadhar data, then Srivastav would be the Person B in the story.
Through the course of this article, we’ll show that Person A in this story is the team at National Informatics Center (NIC) who designed and developed the eHospital hospital management software. NIC is the prime builder of e-Government / e-Governance applications for Government of India. This story will show how NIC released a horribly designed application which published a secret token in a non-secure manner. Abhinav Srivastav got hold of this secret token and gained unauthorised access to Aadhar data.
As reported by Indian Express, Srivastava had accessed UIDAI (Aadhaar) data without authorisation between January 1 and July 26 for an app called ‘eKYC Verification’. The app delivered demographic data like name, address, phone number of individuals from the central identities data depository of Aadhaar to authenticate unique identity numbers. It was placed on Google Play Store with the claim that it was developed by an entity called myGov linked to the start-up Qarth Technologies, which had been acquired by the taxi hailing service Ola in 2016. Further, Times of India reported the police version which stated that Srivastav accessed Aadhaar data through the e-hospital application hosted by the government’s National Informatics Centre (NIC). Quint reported a follow up statement by Bengaluru Police which stated that Srivastav had exploited weak security protocols of the e-hospital system, a government server, for easy access of Aadhaar data.
To understand how Abhinav Srivastav exploited the eHospital system, it is necessary to have a basic understanding of eHospital, Aadhaar/UIDAI and the eKYC service offered by UIDAI.
According to the eHospital website, it is a Hospital Management System designed and developed by NIC for Government sector hospitals across India. It is a generic software which covers major functional areas like patient care, laboratory services, work flow based document information exchange, human resource and medical records management of a Hospital.
One of the features provided by eHospital is Online Registration System (ORS) which utilizes Aadhaar to provide an online appointment system across various Government hospitals. As part of the eHospital suite, an Android application has been developed which enables access to the Online Registration System (ORS). ORS is hosted by NIC and uses the Aadhaar number to get eKYC data of a customer for authorisation in order to create online appointments.
eKYC is a service provided by UIDAI which enables a resident having an Aadhaar number to share their basic demographic information such as name, age, date of birth, post address, phone number and a digitally signed photograph with a UIDAI partner organization after user consent either through biometric authentication or OTP (One Time Password). eKYC service by UIDAI thus provides an online verification service for Proof of Identity (PoI) and Proof of Address (PoA). KYC in eKYC stands for ‘Know Your Customer’.
UIDAI has 254 partner organisations who can access the eKYC service by UIDAI. National Informatics Center (NIC), who built the eHospital service and Android application, is one of the partner organisations. In the UIDAI world, these partner organisations are called KUA or KYC User Agencies. Each KUA is given a unique license key using which it can access UIDAI’s eKYC service.
No. The eKYC service can only be accessed over secure leased lines which provide connectivity to UIDAI’s data store also known as Central Identities Data Repository (CIDR). At the time of writing, 27 partner organisations have secured leased line connectivity with the CIDR (Aadhaar data). These partner organisations are called ASA or Authentication Service Agency. Those ASAs who are eligible to provide access to the eKYC service are called KSA or KYC Service Agency. NIC or National Informatics Center is also a registered KSA.
If the eKYC service provided by UIDAI can only be accessed over a secure leased line with only 27 partner organisations having access to the Aadhaar data, how did Abhinav Srivastav manage to get access to it?
The leak was not at the KSA level but at the KUA level. In this particular case, NIC or National Informatics Centre is both a registered KSA as well as KUA. What this entails is that NIC has secured leased line access to CIDR (Aadhar Data) and is also eligible to access the e-KYC service by UIDAI. For the eHospital application and more specifically the Online Registration System, NIC built an additional service on top of the existing eKYC service already provided by UIDAI. In the software engineering world, such a service is also called an API or Application Programming Interface.
This additional API, which piggybacked on existing UIDAI eKYC service, was utilised by the Android eHospital Online Registration application to create online appointments while using the patient’s Aadhaar number for eKYC verfication. This additional API which gave proxy access to UIDAI’s eKYC service and was created by NIC and was exploited by Abhinav Srivastav to gain access to Aadhar Data. For the purpose of this story, we will call this additional API the ‘NIC eKYC API Proxy‘.
While UIDAI’s eKYC service is only accessible over a secured leased line connection and not a regular internet connection, NIC eKYC API proxy is accessible over a regular internet connection and anybody in the world can access the API provided they have the authentication details. NIC had to create this API since the eHospital Android application would create eKYC assisted appointments over a regular internet connection.
Unfortunately, the NIC eKYC API Proxy had major security holes.
The eHospital Android application was communicating with the eHospital backend via NIC eKYC API proxy. However, as pointed out earlier, this communication was over an insecure HTTP connection instead of a secure HTTPS connection. Anybody who knows how to sniff this HTTP communication would be able to find the password. While it is not possible to determine the exact software application used by Abhinav Srivastav to determine the default password, here are the two methods using which one could have found the default password.
Anand Venkatanarayan and Anivar Aravind who did the background research for this entire story decompiled the eHospital Android application and found out that the password ‘dG9rZW5Ad2ViQGFwcG9pbnQjbmlj’ is visible as plain text in the decompiled JAVA code. Based on their research of the decompiled code, here are their three findings:
The back end “http://ors.gov.in” allowed anyone to obtain the complete list of APIs, through which one can surmise how it uses Aadhaar eKYC APIs.
By either sniffing the HTTP traffic using a proxy or decompiling the Android application, Abhinav Srivastav must have figured out the default password and the API required to do Aadhaar eKYC. He used this knowledge to create his own service on top of the NIC eKYC API proxy. This service was accessed by the ‘eKYC verfication’ app that he created. For the purpose of this story, the Android application created by Abhinav Srivastav will be called the ‘Qarth App’ and the service that utilised the compromised password to communicate with the NIC eKYC API proxy will be called the ‘Qarth App Back End’.
We started this article with a small story where Person A jots down username/password of your email account on a piece of paper and Person B manages to find that piece of paper and misuses the information. In this story, Person A is the team at National Informatics Center who designed and developed the insecure eHospital service and application which uses a single default password ‘dG9rZW5Ad2ViQGFwcG9pbnQjbmlj’. Person B is Abhinav Srivastav who found out this default password and misused it to create the ‘eKYC verification’ application. If Abhinav Srivastav is culpable of misusing the vulnerability in eHospital app, isn’t the team at NIC also equally responsible for creating a service with a Jupiter-sized security hole?
So why did UIDAI panic and file the FIR? It is not the Application that Abhinav developed, it is the implications.
The basic principle in the eKYC infrastructure is that not every entity is trustworthy to be given full access to CIDR (Aadhaar data). Thus KYC Service Agencies (KSA) are directly regulated by UIDAI since they are closer to CIDR than other parts of the ecosystem. Every KYC User Agency is vetted by UIDAI and the KSA.
However, applications like the NIC eHospital were never considered as part of the ecosystem and hence were not audited by UIDAI’s auditors. The scope of the audit was only restricted to KSA and KUAs. This is a crucial mistake as the above example indicates that all it requires is one vulnerable application using the eKYC API, which can allow a back door access to the eKYC and Authentication APIs.
There are now 254 such KUAs and there could be a large number of vulnerable applications like NIC eHospital, which were built on top of the eKYC service offered by these KUAs. Every one of these applications can potentially allow a back door to the authentication infrastructure, which significantly expands the risk of abuse.
For a normal user, an Application developed by UIDAI will be indistinguishable from the numerous apps released by third parties as this example indicates and one malicious app is all that it takes for an actual data theft.
The example also clearly points out the complete and total lack of awareness of basic security practices even by the top-most e-Governance vendor. By digging deeper into the eHospital App, it is possible to understand how bad NIC’s security practices were.
UIDAI has shown time and again that it is incapable of handling security incidents without resorting to bullying tactics as is evident by their past behavior. The design problems of Aadhaar and the ecosystem security issues will not go away because of these tactics. Instead they will remain unreported or worse sold to the highest bidder and will be exploited by malicious actors and nation states.
It is time the organisation realises that it cannot make citizens secure by making them more vulnerable, in the mistaken false confidence that “Aadhaar is very very secure”. The security concerns have become real and the grudging acknowledgement by Nandan Nilekani was long overdue and perhaps too little and too late.
Follow @free_thinker
Trigger Warning: Violent Content. Viewer discretion is advised. Over the past few months, rumours of…
A video of a young boy cleaning the windshield of a car is making the…
On November 9, Yati Narsinghanad disciple Suresh Rajput uploaded a video on Facebook about AIMIM…
A video clip of a fighter jet landing on a dam is being widely circulated…
In the backdrop of NASA’s Perseverance Rover landing on Mars on February 19 (IST), a…