Thursday, September 13, 2018

Technology Series (Part 4): India: Massive biometric databases...The risk!...As the Huffington Post (India) reports (reporter Cameron Dell)..."Aadhaar Biometric Database Vulnerable to Hack."..."India's controversial biometric database, Aadhaar, has been once again compromised, according to a three-month investigation launched by HuffPost India." (The bigger they are, the harder they fall. HL);

India's Aadhaar Biometric ID Database Vulnerable to Hack: Report
India's Aadhaar Biometric ID Database Vulnerable to Hack: ReportPASSAGE OF THE DAY: "The Aadhaar system, launched in 2009, is the largest biometric program of its kind in the world, with more than 1 billion Indian residents enrolled. The 12-digit codes are assigned by the Unique Identification Authority of India (UIDAI) and links data from fingerprints and iris scans as a means to confirm the identities of anyone who works or resides in the country, including non-citizens. The government's intent was to create digital identities as a way to ensure access to welfare, health, and education programs. The country hosts one of the largest populations of internal migrant workers, many of whom often carry no identification, making it difficult to prove who they are when traveling state to state. The Aadhaar system has been widely criticized for its lack of regulatory framework. The identities of hundreds of millions of people were imperiled last year alone due to leaks of biometric data. In January, a group of journalists reported paying the equivalent of $8 to gain full administrative access to the database."
India's Aadhaar Biometric ID Database Vulnerable to Hack: Report

STORY: Simple Hack Turns India's Massive Biometric Database Into a Profitable Counterfeit system,  by reporter Dell Cameron, published by The Huffington Post on September 11, 2018.

GIST: India's controversial biometric database, Aadhaar, has been once again compromised, according to a three-month investigation launched by HuffPost India. In a report published Tuesday, HuffPost revealed the existence of a malicious patch said to disable critical security features, making it easier not only to create unauthorized Aadhaar numbers but to fool the system's biometric recognition systems from virtually anywhere in the world. The purpose of the patch, which is reportedly in widespread use and easily obtained for roughly Rs 2,500 (around $35), is not to grant access to information in the database; rather, it allows unauthorized users to introduce information to it—i.e., create identities, potentially with fraudulent biometric data. The Aadhaar system, launched in 2009, is the largest biometric program of its kind in the world, with more than 1 billion Indian residents enrolled. The 12-digit codes are assigned by the Unique Identification Authority of India (UIDAI) and links data from fingerprints and iris scans as a means to confirm the identities of anyone who works or resides in the country, including non-citizens. The government's intent was to create digital identities as a way to ensure access to welfare, health, and education programs. The country hosts one of the largest populations of internal migrant workers, many of whom often carry no identification, making it difficult to prove who they are when traveling state to state. The Aadhaar system has been widely criticized for its lack of regulatory framework. The identities of hundreds of millions of people were imperiled last year alone due to leaks of biometric data. In January, a group of journalists reported paying the equivalent of $8 to gain full administrative access to the database. HuffPost India reports having acquired access to a patch that essentially reverts portions of the Aadhaar code using previous, less secure versions of the software. In one example of how security is downgraded by the patch, experts discovered code created to reduce the fail-rate for iris recognition, allowing the system to be fooled by a high-resolution photograph. Installing the patch, which is apparently widely in use at enrollment centers, is said to be relatively simple. HuffPost reports:
Using the patch is as simple as installing the enrolment software on a PC, and replacing a folder of Java libraries using the standard Control C, Control V cut-paste commands familiar to any computer user.
Once the patch is installed, enrolment operators no longer need to provide their fingerprint to use the enrolment software, the GPS is disabled, and the sensitivity of the iris scanner is reduced. This means that a single operator can log into multiple machines at the same time, reducing the cost per enrolment, and increasing their profits.
Moreover, a single person using the patch would be able to create multiple entries in the Aadhaar database, reportedly allowing them, as one expert told HuffPost, to "siphon off rations of multiple people." After having their findings confirmed by multiple international and Indian experts, the reporters delivered their findings to the NCIIPC, or National Critical Information Infrastructure Protection Centre, the principal Indian government agency responsible for protecting the nation's critical information infrastructure. Neither the UIDAI nor the NCIIPC could be immediately reached for comment. HuffPost India reports Indian authorities were not responsive to inquiries."

The entire story can be read at:
https://gizmodo.com/simple-hack-turns-indias-massive-biometric-database-int-1828972521

PUBLISHER'S NOTE: I am monitoring this case/issue. Keep your eye on the Charles Smith Blog for reports on developments. The Toronto Star, my previous employer for more than twenty incredible years, has put considerable effort into exposing the harm caused by Dr. Charles Smith and his protectors - and into pushing for reform of Ontario's forensic pediatric pathology system. The Star has a "topic" section which focuses on recent stories related to Dr. Charles Smith. It can be found at: http://www.thestar.com/topic/charlessmith. Information on "The Charles Smith Blog Award"- and its nomination process - can be found at: http://smithforensic.blogspot.com/2011/05/charles-smith-blog-award-nominations.html Please send any comments or information on other cases and issues of interest to the readers of this blog to: hlevy15@gmail.com.  Harold Levy: Publisher; The Charles Smith Blog;
---------------------------------------------------------------------