Aadhaar biometrics are an easy target for hackers

Aadhaar is a 12-digit unique identification number issued by the Indian government to each Indian citizen. The Unique Identification Authority of India (UDAI), which functions under the Planning Commission of India, is responsible for managing Aadhaar numbers and Aadhaar identification cards.

The purpose of Aadhaar cards is to have a single, unique identification document or number that links a consumer’s entire details including demographic and biometric information.

The Aadhaar card/UID does not replace the other identification documents but can be used as the sole identification proof when applying services that require identification. It also serves as the basis for Know Your Customer (KYC) norms used by banks, financial institutions and other businesses that maintain customer profiles.

Risk of Aadhaar biometrics
Biometric data, unlike passwords, can never be changed, so if hackers successfully impersonate a fingerprint then they can cause serious havoc, and there is not much the victim will be able to do about it.

With the recent government policies making biometrics the central identity verifier via Aadhaar information, a billion consumers could be walking a thin line between security and convenience. Though it becomes extremely convenient to make transactions via a single touch on your smartphone, it also means that all a malicious hacker needs to get is your fingerprint. Once he gets that, there’s no stopping. Identity theft and fraudulent transactions may just be the beginning.

A simple fact: You cannot just change your fingerprint like you change your password in case of a hack. Even closing your account won’t solve your problems. Your fingerprint, wherever valid, can be used to steal your accounts.

Government’s claims about Aadhaar security
The government claimed that Aadhaar is completely secure, and the data of the consumers was absolutely safe from any malicious party until a severe flaw was detected in the system. The bug allowed a malicious operator to save a user’s biometrics and simply use it to carry out transactions on the victim’s behalf via replaying the saved biometrics.

In February this year, a Youtube video showed a demo of such a replay attack. Later that month, UIDAI filed a case against an employee of Suvidhaa Infoserve, saying that an Axis Bank’s gateway was used to carry out around 400 transactions via replaying Aadhaar information that was saved earlier.

To resolve these, the government decided to roll out new policies to ensure that critical Personal Identifiable Information (PII) of its citizen does not fall into wrong hands and get misused. On January 25, the Registered Device notification made the registration and encryption mandatory of every single biometric reader currently in use.

According to the guidelines issued by Ministry of Electronics and Information Technology, sensitive personal data such as passwords, financial information (bank account, credit card, debit card and other payment instrument details), medical records and history, sexual orientation, physical and mental health and biometric information cannot be stored by agencies without encryption.

Basically, the host computer can no longer store user’s biometrics which will eliminate the risk of using the stored biometrics without individual’s consent for authentication.

How easy is it steal fingerprints?
Hackers can easily clone your fingerprints to gain access to your life. What’s scarier is that it’s neither too costly nor too difficult.

Fingerprints can be picked up from daily objects easily or mass attacks are possible if the servers of UIDAI are hacked. Hackers can also skim fingerprints via malicious biometric devices just as with infected credit card machines. The problem here though is that you can block your credit card but not your fingerprint.

Using the stolen print

This can be done via digitally replaying the print to authenticate applications and transactions. Another possibility is to use 3D-model printers to simply make a physical copy of the print. It is even possible to make physical fingerprint replicas using simple dental moulds and some playing dough. According to a research at theDepartment of Computer Science and Engineering at Michigan State University in the US, fingerprints can be replicated in less than $500 with conductive ink fed through a  normal inkjet printer, in a procedure that takes less than 15 minutes. According to researchers at CITER, the disturbing thing about fingerprints is they can be hacked just by using everyday items like some dental mould to take a cast, some playing dough to fill it. All they need is an impression of a person’s fingerprint. Using the cloned fingerprint, the hacker can enter every mobile application or devices that use the fingerprint as a security measure.

What about retina, voice and facial recognition?
Besides fingerprint, some applications also use facial and voice recognition techniques. The general methodology on which all the facial recognition app works is, the person stares into the camera on their smartphone and the app captures images of the face. According to a research lab in Germany which specialises in cyber security, the hacker can use several pictures of the victim which can be easily found via social networking websites and use those pictures to bypass the security.

However many applications using facial recognition claim to have ‘liveness’ technology which can distinguish a photograph from a real person. A hacker might bypass this by simply making a movement in front of the camera which might be interpreted by the app as a facial movement of the person if the app is not using some 3D face scanning.

Voice recognition technology can analyse accents, pronunciation and the sounds of someone’s mouth and tongue. Some apps use voice recognition by asking a person to repeat a certain phrase each time. If the app is more advanced, it can randomly generate new phrase each time a person logs in.

To bypass this, hackers can record the voice of a person saying the exact phrase that is required by the application or they can take advantage of software apps that allow a person to record someone’s voice and get that voice to say phrases which the person may have never said before.

Even IRIS scanner fails to secure the user’s privacy. According to a security researcher at Chaos Computer Club (CCC), Europe’s largest association of hackers, a similar technique that bypasses facial recognition is used to bypass IRIS scan as well, i.e. a standard photo camera. CCC researcher told Forbes: “We have managed to fool a commercial system with a printout down to an iris. I did tests with different people and can say that an iris image with a diameter down to 75 pixels worked on our tests.”

How big is the threat?
The government has made Aadhaar mandatory for Indian citizens to avail of many government services. Aadhaar is being used almost everywhere now. If the data gets leaked, unlike changing your passwords or creating a new account, people won’t be able to change their fingerprints or their facial structure. The digital infrastructure that the government is trying to push all across the country can come crumbling down if proper security measures are not at place.

The glorious dream of Digital India could simply be a disaster if a billion countrymen finally get digitalised and a single hack gives malicious hackers a lifetime access to their digital assets and identity.

What are the security measures?

UIDAI provides a simple mechanism for Indian citizens to lock their biometric information and prevent them from being misused.

Once the Aadhaar holder has locked his/her biometrics data, no one including the Aadhaar cardholder will be able to use the biometrics data for authentication purpose. Once locked, the biometric will get locked only for 10 minutes. The process of locking and unlocking biometrics is very simple. All a person is required to do is, visit the URL: https://resident.uidai.gov.in/biometric-lock. Provide Aadhaar card number. Enter a security code. Receive the OTP (which will be sent to the registered mobile number) and lock Aadhaar card.

How can Aadhaar be made more secure?
Biometrics is an acceptable form of security but depending solely on that can be risky. The best way to make apps or devices secure is using biometrics security along with another unique customizable token such as a password. This might be more of a hassle but at least it adds an extra layer of security to your information. The bottom line is: you cannot use a biometric as a primary authenticator; it can only act as an extra layer of security for your applications or devices just like an OTP.

Organisations, instead of making a fingerprint as the sole identification for a consumer, can use it as a second or even third factor to further strengthen their application infrastructure.

The government should consider the option of hosting a crowd-sourced bug-bounty program on Aadhaar and its deployment as it may help them ensure that each and every entry point is covered before going live with such a massive project. Aadhaar deployment is huge and its security cannot be tested with a few in-house analysts or even a big outsourced team. Crowd-sourcing is the solution. Utilising the brains of tens of thousands of professional security analysts aiming to find loopholes will definitely help in scraping out even the tiniest of bugs that might bite us later. Bug-bounty programmes are the most efficient way to hire 10,000+ ethical hackers for your project. Even the US government has accepted this mode by hosting ‘Hack the Pentagon’, ‘Hack the Army’ and ‘Hack the Airforce’ programmes, and that too with great success.