The government is pushing for the unique identity, to register everything from infant children to bank accounts, but the biometrics of millions of people are not foolproof.

Aman Sethi and Samarth Bansal
New Delhi, Hindustan Times

On February 11, the Unique Identification Authority of India (UIDAI) woke up to a public disclosure of an existential vulnerability in Aadhaar, the identification system that has recorded the biometric details of over 1 billion Indians.

In public, UIDAI claimed Aadhaar was completely secure as a user had to physically press her finger onto a biometric reader connected to the authority’s impregnable servers to conduct any transaction.

But UIDAI’s experts had long known of one critical weakness: if an unscrupulous operator saved a copy of a user’s biometric fingerprints on his computer, he could transact on the user’s behalf by simply replaying the fingerprint stored on his computer.

On February 11, a YouTube clip illustrating such a replay attack was leaked online. On February 24, UIDAI filed a criminal complaint, alleging that an employee of Suvidhaa Infoserve had used Axis Bank’s gateway to UIDAI’s servers to conduct 397 biometric transactions between July 2016 and February 2017 using a stored fingerprint. Axis Bank representatives did not respond to requests for comment.

“The transaction went through because one of their own developers was trying to do this,” said UIDAI chairman Ajay Bhushan Pandey, who told HT that such breaches were very rare, much like aeroplane crashes, “Can somebody say a plane won’t crash? Question is how we minimise the risk.”

This vulnerability, Pandey said, would be eliminated by new security measures. The Registered Device Notification issued on January 25, mandated the registration and encryption of each of millions of biometric readers currently in use in Aadhaar’s sprawling infrastructure by June 1. But on May 24, UIDAI pushed the deadline to September 30 citing “logistical limitations”. It is unclear if the new deadline will be met.

Aadhaar “assumes that all the service providers are trustworthy, and will keep all the keys, certificates etc safe and away from prying eyes,” said Dr Sandeep Shukla, head of the Computer Science department at IIT Kanpur. “However, if one of the Aadhar-enabled service providers go rogue, all the security they have suggested will be compromised.”

Today, Aadhaar is defenceless against replay attacks even as the Union government pushes for its use to register everything from infant children to bank accounts. Worse, experts like Dr Shukla warn that even implementing the security upgrades will not safeguard the identities of 1 billion Indians.

Private companies enrol new users on behalf of UIDAI and authenticate enrolled users when they access an Aadhaar-enabled service.

The Safety Framework
Aadhaar is still defenceless against replay attacks. Experts warn that security upgrades will not safeguard identities of 1 billion Indians.
01Provide your finger print to the biometric reader (public device) for authentication purposes.
02The optical sensor of the biometric reader captures a photograph of your finger print and transfers that to the computer via a USB cable.
03The host computer converts the fingerprint into a template which is then converted to a PID (Personal ID) block.
04The PID block is sent to the UIDAI through a series of intermediary gateway servers.
05The UIDAI server responds with either Yes/No (successful/failed authentication).
The host computer can store user’s biometrics.
These stored biometrics can be used without individual’s consent for authentication.
Stored fingerprint can be used to make an artifical finger using 3D printer.
PID block not encrypted, and so vulnerable to interception by hackers.
Host computer is also connected to public internet servers and hence vulnerable to viruses and malware, that can steal the PID block.
01Provide your fingerprint to the biometric reader (registered device) for authentication.
02No upgrade to reader hardware. However, when the reader is connected to the host computer for the first time, the computer will register the reader’s serial number.
03A software upgrade in the computer will bind the fingerprint with the registered biometric reader’s ID and timestamp, to create an encrypted PID.
04The encrypted PID block is sent to the UIDAI server through series of gateways.
05The UIDAI server responds with either Yes/No (successful/ failed authentication).
Even a registered biometric device can be “cloned” by a hacker to fool the UIDAI servers into thinking that the system is using an authorised device.
Encryption still occurs in the computer, so a stored biometric can be used by a skilled hacker.

“Enrollment software is owned and written by UIDAI, so trust in the process is high,” said a cyber security expert who examined the Suvidhaa-Axis Bank breach. “The biggest problem with authentication is UIDAI must work with private companies, deploying proprietary software on public internet services.”

“In any kind of system, the basic core will always be secure, but any such core system has to interact with a larger ecosystem and this ecosystem always bring the problem to the table,” said Vinayak Godse, director of the Data Security Council of India, NASSCOM’s premier data protection organisation.

Godse said UIDAI tries to control this ecosystem (see box) by publishing software specifications, and pushing entities like banks to comply with these guidelines.

Authentication software must receive a fingerprint from a biometric reader, process it and send it on to UIDAI for authentication. By law, fingerprint copies cannot be stored. But banking software is complex, making it hard to spot vulnerabilities hidden amidst millions of lines of code.

In the Suvidhaa-Axis Bank case, the expert said, a developer had illegally added a feature where an engineer could test the software by using a stored fingerprint rather than pressing his thumb onto a biometric reader each time he ran the test.

The new regulations try to secure the biometric reader, rather than the banking software.

By September 30, banks must pair their existing biometric readers with new software that registers each device with UIDAI’s servers. Once registered, the device must mark each fingerprint it records with a unique signature and encrypt it.

But Shukla, the expert from IIT Kanpur, said registering each biometric reader with UIDAI isn’t enough as readers can be cloned, the way that hackers routinely clone phone SIM cards.

Ultimately, UIDAI wants manufacturers to develop a reader with a chip to perform authentication functions. But all hardware, Shukla said, can be cloned, raising the question if Aadhaar can ever be truly secure.

The debate over biometric reader security, some experts say, is a consequence of UIDAI’s conceptual misunderstanding about biometrics. Fingerprints are personal but public information, in the way that someone’s name is personal because it is their name, but is known to everyone and hence public.

“One must be careful in using biometrics as an authenticator,” said Shweta Agarwal, a Computer Science professor at IIT Madras. “There is technology to lift a person’s fingerprint, say from a book she is reading or from high resolution images posted on social media.”

In 2014, for instance, hacker Jan Krissler recreated the fingerprints of Germany’s defence Minister Ursula von der Leyen from close-up photographs in a government press release.Advances in technology mean stolen prints can be used to make three-dimensional replicas.

“I’ve actually seen someone do that on my reader,” said a UIDAI-certified biometric device vendor, describing a test in which an Aadhaar transaction was performed using a fingerprint etched onto a fake plastic thumb. “I couldn’t believe my eyes.”

Rather than confront these vulnerabilities, UIDAI has obfuscated facts.

In a UIDAI document titled Facts about Aadhaar, published in August 2016, UIDAI claimed the Aadhaar ecosystem already used registered biometric devices despite the fact that such devices will be introduced in October this year at the earliest.

The document also claims that biometric sensors “are increasingly implementing liveness detection to ensure any attempt at making fake fingers/iris etc are prevented.” Yet none of the biometric readers certified by UIDAI have been tested for liveness detection, according to documents reviewed by HT.

Ultimately, the government’s decision to force 1.2 billion Indians to surrender their information to an opaque and unaccountable system like UIDAI is a political rather than a technological choice.

Godse from the DSCI said society must weigh Aadhaar’s risks against its benefits. “Giving choice to the consumer is a very important kind of expectation that a modern day society should enjoy on any system, be it private or public,” said Godse. “Choice and freedom associated with it.”