In January 2018, India was suddenly jolted awake by the tweets of a French Security researcher named Robert Baptise who goes by the Twitter handle @fs0c131y. He Started tweeting about the mAadhaar application and how vulnerable it was. Later he found a lot of websites and apps leaking Aadhaar data. In fact, when we interviewed him at Killer Features he advised users to delete the mAadhaar app.
Since then Baptise has reported about Aadhaar multiple times. He also made a tool to search for Aadhaar numbers which were public as well. But till now the authorities have staunchly denied any vulnerabilities in the Aadhaar database and had turned a deaf ear towards these warnings.
How to bypass the password protection of the official #Aadhaar #android #app in 1 minute.
For this attack, the attacker need a physical access to the phone, rooted phone is not needed and yes this is the latest version of the app.
cc @uidai @ceo_uidai pic.twitter.com/7aZ0fvr0Wv
— Elliot Alderson (@fs0c131y) March 13, 2018
However, in no way such publication threatens or impacts security of Aadhaar and its database. Aadhaar remains safe and secure and there has not been a single breach from its biometric database during that last eight years of its existence. 8/8
— Aadhaar (@UIDAI) March 17, 2018
— bhadra Sinha (@BhadraSinha) March 21, 2018
But he is not the only one being ignored. Multiple other security researchers in India have reported several bugs in official government websites of different entities but they have mostly met a stone wall. Anand Venkatanarayanan who has been vocal about Aadhaar security says it is a tough road. In fact, he had written a post about mAadhaar app's flaws last year.
"We have reported multiple vulnerabilities but often there is no acknowledgement or response from anyone," he says "And responses are often negative. Look at what happened in eHospital app case". Last year, developer Abhinav Srivastava was arrested by Crime Branch with the charges of data theft. The authorities had accused him of stealing the data from an eKYC app he himself had developed. Srivastava had allegedly taken advantage of the lack of HTTPS protection. He had claimed that there were no criminal intentions involved.
“No one could get data from any other person through this app. Even though residents were downloading their own demographic data such as name, address etc., yet legal actions were initiated against the owner of the app since it was not authorised to provide such services to people and such acts are criminal offence punishable action as per Aadhaar Act, 2016. It is further reiterated that data of not even a single non-consenting resident has been given by UIDAI through this app,” said Ajay Bhushan Pandey, CEO of UIDAI at the time.
Shortly after we wrote this story ZDNet working with security researcher Karan Saini found out that the state-owned entity Indane allowed anyone to develop the private information. Despite reaching out to authorities several times there was no response. In the end, UIDAI went ahead and refuted the claims of ZDNet and Saini.
And not just him, but several officials of Indian government and agencies have denied any security flaw in Aadhaar system multiple times.
Not Just Aadhaar
But this is not just limited to Aadhaar and UIDAI. We talked with Kanishk Sajnani who found vulnerabilities in IRCTC platform. For months there was a bug where anyone can hack into the catering system and change the amount payable after ordering the food. He sent multiple emails and tweets to the authorities without getting any response. But there are multiple websites such as IRCTC Tourism and IRCTC Corporate which doesn't have the basic HTTPS security.
"This is a grievous situation for the customer and employee data. And it is frustrating to see no response from them," Sajnani said while talking to Killer Features. Interestingly, the bug he had found has been patched, but Sajnani's work has neither been acknowledged nor rewarded.
We had recently reported that a developer had found fatal flaws in various state-operated websites such as Maharashtra, Andhra Pradesh and UP. Several of these websites had personal data of numerous citizens. Even after being widely reported there was no action.
— Raunak Ramakrishnan (@OrdinalSpace) January 19, 2018
Developer Akshay Jain told us on Twitter that he has been trying to reach someone at CERT-In regarding a security hole in the Air India app but has been disappointed so far. Another programmer Somdev Sangvan told us that many state websites are susceptible to the attacks. He said that many of these websites can be found by simple search queries on engines such as Google and Bing.
There's a vulnerability in Gov Data which they tried to patch but the new protections can be bypassed in no time, so it's still vulnerable.
"It is hard find the motivation of picking out vulnerabilities on these platforms. As there is no interest or response from the authorities most of us lose the interest as well," Venkatanarayanan says.
Indian companies and bug bounty
Venkatanarayanan says that it's not only Indian authorities but even Indian companies 'who frown upon having a bug to them. "Very few organisations like Zomato take responsibility when a flaw is reported". It is hard to find a culture of awarding bug bounty in Indian companies. Bug bounty hasn't been traditionally incorporated in Indian startups. In 2015, after a lot of backlash Ola opened up its reward program.
But the potential bounty hunters need to take care of a few things as well while posting the bugs.
"There are factors such as quality and impact of the bug along with the tone of the description which plays the part in the response as well," Application security expert Riyaz Walikar, "Their tone often becomes accusatory when the bug reports are ignored and some resort to abusive language as well."
"A lot of us don't do this for money. But a Bug Bounty is just a token of appreciation," Venkatanarayanan opines.
The fear of 'the man'
There is a fear of authorities amongst white hat community. Multiple times there has been a threat of an FIR from officials when a security bug has been reported to them.
Venkatanarayanan believes that there should be a proper platform and a process for addressing reported concerns and finding bugs should be encouraged by the government.
Renowned bug bounty hunter Anand Prakash says that the government should have dedicated email IDs for this. "A lot of people in the security community don't even test government website out of fear," he says.
"Last time I reported the issue of CBSE website. They were not responding for 10+ days. Later I reached Dainik Bhaskar and with the help of his reporter, I talked to someone in CBSE. The reporter told me that CBSE person was asking whether I have misused the data or not to file FIR." A developer who wished to remain unnamed told us, " This time I found issue with Kendriya Vidyalaya website where more than 12000+ teacher data is publicly available to add/edit/delete. But I didn't report them. Don't know this time again they will threaten me to register FIR against me! Let me know if you people can report it to fix the issue."
Indian IT act is really vague at the moment. There are blurred lines around 'unauthorised access' mentioned in section 43(A) of the IT act. Additionally, there are no clear guidelines on what is the minimum security measures a company or an organisation should take. Additionally, Section 52 of Aadhaar act says that any official involved in the project whose 'intentions are good' can't be sued.
It seems like shutting down researchers from reporting vulnerabilities is the most effective weapon the government has for securing its portals. Instead of rewarding the hard work of its citizens who help secure the nation's critical systems, the government instead takes it as an insult and threatens legal action. The cyber-security of our critical systems and how the government has been handling it is best summarised by the meme below.
Indian cyberspace is not considered to be one of the safest in the world. A recent report has suggested that up to almost 22,000 Indian websites were hacked in the past year. A story from TOI suggests that India is ranked 4th in terms of online breaches. There is no dearth of talent, but there is surely a lack of encouragement. In fact, Facebook had revealed that Indian hackers are the highest earners in the bug bounty program.
While Indian authorities are warning Mark Zuckerberg to not to mess with the data of Indian citizens, it might want to take a look back at home and fill the holes of the leaking data boat as well. Let's not forget that these are the same people who just told the Supreme Court that the Aadhaar data is stored behind a 13-feet thick wall and is hence, secure. You can facepalm yourself now.