Aadhaar Hack Existed From 2016, Confirms Expert Who Reviewed Patch

Dilemma – This is the one word that every cyber crime reporter and a researcher faces when they come across a cyber crime. The dilemma exist because of various reasons:

1. Is an initial tip-off even credible enough to investigate?
2. Can the investigation be done in a manner that does not lead one to actually perform the crime?
3. Can we gather credible evidence through investigations?
4. Is the evidence gathering process itself is legal?
5. Were the authorities notified about a cyber crime, so that they can initiate remedial measures, to address the issue?

The Huffington Post investigation into the cracked ECMP software is a cyber crime report and hence faced all these dilemmas, before it was eventually published. That it took three months and more from the initial tip-off is primarily because of these dilemmas. As a security researcher who worked with them during the investigation (July - September 2018), I am duty-bound to explain to readers how I worked through these dilemmas, as my involvement in Aadhaar pre-dates the HuffPost investigation.

The primary motivation for my involvement in the ECMP software hack is that ideologically, on national security, I am a hawk and my personal opinions on all other things are irrelevant. I have also made several public offers (here and here) to engage with UIDAI pro-bono, which were not responded to.

Initial Tip-Off

The first tip-off that the cracked ECMP software exists, was not a tip-off in the classical sense. It is a full-fledged investigation done by the UP Special Task force (STF), into a crime gang that specialised in creating fake Aadhaar cards. Media reports of the investigation, dated exactly one year before, have claimed the “gang hacked secure source code” and claimed that this would not have been possible without the “collusion of one or more UIDAI officials”.

Now, “collusion of one or more UIDAI officials” was a very serious charge coming from the Special Task force. No media outlet even followed it up – the story was never investigated further and died.

The collusion angle, however, piqued my interest. A google search of all media reports pointed to evidence that the “hacked software” was available for limited use, as early as Feb 2016, a full year and half before the UP STF caught the gang.

So what is the patch? What did it do? Who made it? These are questions that have not been fully answered and it is important that these came out in the public domain.

Observer

Our next breakthrough came around May 2018, when Asia Times obtained access into the WhatsApp groups of enrolment operators who were sold the cracked ECMP software because of a whistleblower. The Asia Times story was a breakthrough because it taught us where to look. It was also very similar to the UP STF story:

1. There was a cracked software.
2. It was used to bypass security measures.
3. It was widely used.

The last point about it being “widely used” was crucial because if it was widely used by operators who have no technical expertise, then there has to be a training program. That is when Asia Times’ South Asia editor, Saikat Datta and I had a brain wave. It has to be on YouTube, because the platform is quite popular in India.

So we did a simple google search again, and found hundreds of training videos on YouTube, which explained how to use the crack. One video, however was pretty good. It showed us the step-by-step lowdown on how the crack worked.

From a security researcher’s point of view, trying to understand how the crime was committed, this can’t get any better. It is a confession, recorded live and uploaded to a public channel and has not been taken down yet. However, a confession is still not good enough evidence. Saikat and I needed the patch to do a forensic analysis, but we did not have it.

The UIDAI, however, issued its traditional denial, which in a way confirmed that we were on the right track – but neither of us could go any further.

Provable Evidence

When an anonymous whistleblower sent the patch to HuffPost, they sent a copy to me because of my previous involvement in reporting these issues as a security researcher. The patch is a ZIP file and constitutes evidence similar to finding a hair, nail or a fingerprint at a crime scene. It had to be corroborated with other evidence that I already knew of, such as:

1. The YouTube Videos
2. Various Police FIRs filed on fake Aadhaar scams
3. On-ground confirmation that it works

Forensic analysis of the patch was easy work (40 hours is easy work in security research) because it involved decompilation and reading through the JAVA source code. For non-technical readers, the enrolment software is written in the JAVA programming language and the generated bytecode should at least have been obfuscated. That UIDAI chose not to do this is simply baffling, as it made the patch-maker’s job easy.

It also made my life easy, because I can decompile the patch and read through its source code as well. To put it simply, that the top secret source code that UP Police reported was inaccessible to anyone but UIDAI, is an inaccurate claim. Anyone who could download the enrolment software, can decompile it and read through the source code. (Yes, it is that bad)

Analysing the patch, I came to the conclusions that was reported in the HuffPost story. The conclusions were disturbing enough to reach out to National Critical Information Infrastructure Protection Centre (NCIIPC). A bit about the NCIIPC is important for readers to understand. NCIIPC is the legally appointed nodal agency for all cyber-security issues related to sectors designated as critical.

A vulnerability in any software is a bug. For reporting it, there are standard procedures and format, called a bug report. NCIIPC always has been responsive to security researchers filing bug reports and usually acknowledge the receipt of the bug report almost instantly. They take it up internally with the organisation that is responsible and drive it to closure, which takes time.

However, from a security researcher’s point of view, there is no further need to follow up with NCIIPC once an acknowledgement of receipt is received, since they have a good reputation of taking it up with the concerned organisation internally.

Coming back to the patch, once the issue was reported to NCIIPC and they acknowledged the receipt of the bug report, there is not much a security researcher can do but wait for it to get resolved by the UIDAI.

Peer Reviews

From HuffPost’s point of view, one researcher’s analysis is not sufficient. It needs to be peer-reviewed and vetted by other security researchers to withstand scrutiny. So they reached out to others with the patch, who came to the same conclusions that I did, which was further corroborated by Police FIRs, YouTube Videos and also on-ground checks with enrolment operators. These operators confirmed to them that the patch still works a day before the report came out.

Software hacks happen all the time and responsible organisations ensure that they get fixed once issues are reported through other, safer back-channels. It is evident that so far, UIDAI has not acted responsibly.

1. February 2016 was the first media report that pointed out the issue.
2. September 2017 was when the FIR by UP STF was filed.
3. September 2018 was when HuffPost reported the issue.

For two years, UIDAI did nothing, in spite of overwhelming evidence that the use of the software patch had grown exponentially. Instead, they tried to keep a lid on the problem and nothing else.

The Way Forward

I started with the dilemmas that researchers face while investigating cyber crime, and would like to analyse the HuffPost story too along those lines.

1. Was the initial tip-off credible?
   Yes, as it came from the UP Police itself.
2. Did we actually commit any crime, during the investigation?
   No. The YouTube Videos that Saikat and I found were confessions uploaded in the public domain. We were observers, not participants.
3. Was the evidence credible enough?
   Yes. The patch was analysed and the conclusions were corroborated by multiple security researchers. Further, we also have FIRs filed by police officers in other states, YouTube Videos, and statements from enrolment operators.
4. Is the evidence gathering process legal?
   Yes it is. Neither me nor HuffPost reporters did a fake enrolment that resulted in the generation of an Aadhaar number. The patch was sent to HuffPost via an anonymous whistleblower, as far as I am aware.
5. Were the authorities notified about the crime?
   Yes they were. Multiple emails were sent to UIDAI over time, as early as May 2018. Further, UIDAI officials themselves were involved in some of the investigations done by the local enforcement agencies. So they were more than aware of the issue, for quite some time.

Cyber crime is a hard topic to even write about in long form for non-technical readers. A clever snark on Twitter or a sound bite on TV might be an attractive option to get eyeballs, but does not help much in the long term. Given the explosion of I-T, cyber is the most urgent policy problem of our times.

As far as I am aware, the only agency with proven capability to do this and also has constitutional backing is NCIIPC. While the UIDAI may be the problem child that gets everyone’s attention by throwing temper tantrums, NCIIPC may yet become the quiet achiever, if given the right backing.

(Anand Venkatanarayanan is a Bengaluru-based cyber security analyst and software developer.)