20 March 2018

Hold my beer while I crack UIDAI security


It was a squally Saturday evening in Manhattan, winds touching 40mph and seeping through the cracks of my rent subsidized midtown apartment(it’s the details, not just the location). I had just invited a friend over for a drink and we planned on binge watching Altered Carbon and finish a party pack of Doritos(not healthy, I know). We started discussing our doomsday scenarios of a post apocalyptic world where the state monitors your every movement and spoke at length about the Chinese “Credit Score” for appropriate behavior and its parallels with the credit score in the US which unfairly docks points for minorities and people in less than glamorous neighborhoods. 



The conversation veered towards the AADHAR and UIDAI in India and the resistance it is facing from certain section whilst being hailed as the next sliced bread by certain sections of the media. I identify as a centrist and don’t necessarily agree with the leftist ideology and prima facie agree with the concept of a unique tax identification number(Which the PAN card serves at the moment) but I’m wary of giving my biometric information to anyone. I have face ID disabled on my iPhone and try not to give out any information to the corporations(no facebook, a locked down instagram) but I object to a state mandated biometric identification document, but that’s just me.

My friend Alexa(not the smart speaker) insisted that Aadhar was a secure enclave and my fears are unfounded and I’m just paranoid about everything.

I half-joked that I can easily find Aadhar information of multiple users in ten minutes or so. She took up on my challenge and asked me to do it and if I win, she will take me out to lunch sometime and pay for it. Sounds good, I haven’t been to Ivan Ramen in a while and would love to have their steamed buns. So I cranked up my good old Ubuntu machine and let the magic work.

Methodology

I had only ten minutes, so I had to stick to basic exploits. I decided that state portals(India has 29 states and they also store Aadhar information on their servers) would be an easier target.

I started alphabetically and I hit gold at Andhra Pradesh. Took me a grand total of 5 minutes. Their website administrator had left the website’s (which I have not published here for obvious reasons) Port 80 open and unauthenticated at that. This is as easy as stealing a candy from a baby(although some babies can pee at you when you try that) and found roughly 8000 Aadhar cards with name, DOB, address and other personally identifiable information which can be used by nefarious elements to get fake SIM cards, create fake bank accounts and credit cards.

Andhra Pradesh Dump

Since the bet was won, I was happy and smirked like Dwight Schrute does here


Pleased with myself momentarily, I tried to penetrate a few more states(I know it sounds dirty but isn’t) and I was able to find Aadhar, PAN Card and Passports even uploaded on an unsecure server by Maharashtra and UP governments.

Maharashtra

UP dump

The main concern with this attack is that you don’t need to be a “hacker” or even know anything about cybersecurity. Just a small youtube tutorial of 8 minutes will give you the knowledge and the tools to get into the unsecured databases on various state websites(with gov.in domains) and get access to thousands of people’s private identification documents. I was a bit drunk with all the Nomad whisky I was drinking(it is nice, born in Scotland, raised in Spain, so it has bad teeth and smells bad ) and went on a twitter rant about how the security system(the absence of) was easily bypassed within minutes.

It was followed by a few profane tweets about telling the authorities to get their fecal matter together and in hindsight, I shouldn’t have said it. I blame Nomad Whisky for it though.

So the tweet went viral and was picked up by a few news outlets and I’m in touch with them.

If someone can point me to relevant authorities, so I can give out the portal URLs then they can patch the gaping holes in their security, I’m more than happy to help them at no cost.

I’d like to reiterate I have no political affiliations and I did all this for a free lunch at Ivan Ramen and to impress a girl.

No comments: