Even while the central government has been repeatedly assuring that the Aadhaar data is kept with foolproof security, the Aadhaar network is fraught with security loopholes. An IT graduate from an IIT leaked the Aadhaar information of 50,000 people through a mobile app the other day, exposing the vulnerability of its safety protocols. It also points to the serious lapses from the part of National Informatics Centre (NIC), one of the agencies entrusted with the safe handling of the Aadhaar information.
Were did it sunder?
As a precautionary measure to prevent the leakage of the data, the Central Identities Data Repository (CIDR) is not connected to internet. The Aadhaar data is stored in CIDR. But the authentication service, for ensuring the identity of the original card holder, is entrusted with 27 different KYC Service Agencies (KSA). The identification details of the clients are verified by various authentication or KYC user agencies (KUA) functioning under these KSAs. Various telecom operators and banks are among the KYC user agencies. The data transfer up to this point is through a dedicated line. The data is also encrypted to avoid data theft. But the problem lies with the data transfer beyond this point in the huge network. For instance, the vulnerabilities in e-hospital, a mobile app which authenticates Aadhaar document via NIC, came handy for the IIT graduate from Kanpur who leaked the Aadhaar data.
This is how the data leaked
- The network from Aadhaar CIDR to the NIC was foolproof. However, the transfer of data from the NIC to the e-hospital app was not encrypted.
-The techie who earlier worked with the NIC had the access to the source code of the mobile app. It also had the access code to collect Aadhaar information.
-Using this, the accused developed a new app. It replicated the code of the e-hospital app and hence, the data automatically flowed from the e-hospital app to the new app.
- From January to July, about 50,000 people used the proxy app created by the techie. But the NIC and Aadhaar authorities never had a clue about the data theft.
What it forbodes...
More than 250 KYC user agencies part of the Aadhaar project. There are umpteen apps under each of these agencies. If the codes of these apps are not safe enough, anybody could get hold of the Aadhaar data. So, an effective security audit from the top to the very bottom of the network is the need of the hour.