A series of recent discovered data breaches and vulnerabilities could substantially alter the way the digital world works. Two of these are huge breaches that affect every Indian resident. Two are newly announced vulnerabilities that affect pretty much every computer and smartphone currently in civilian usage.
The first incident involved Airtel. It can only be described as a criminal act perpetrated on a massive scale. When new subscribers signed up for the phone service, or existing subscribers linked their numbers to their Aadhaar accounts, the Aadhaar details were used to open Airtel Payment Bank accounts without the customers’ knowledge.
This was an especially useful way to game the system since Direct Benefit Transfers such as gas subsidy payments and MNREGA automatically flow into the bank account which is last linked to Aadhaar. Net inflows are said to have mounted to over Rs 1.90 billion in over three million of these fraudulent accounts.
The second incident came to light a few days ago. The Tribune described how Aadhaar demographic details were being made available for the payment of just Rs 500. Upon payment, the user received a log-in where he could enter any Aadhaar number and receive the associated demographic information including name, address, phone number, photograph, and email, etc. It is easy enough to automate this process of plugging in numbers and just scrape the data at high speed.
Apparently the entire biometric database’s demographic data is available, which means that every Aadhaar signup is wide open to identity theft. The UIDAI has said of course that this is not a breach by its definition because the biometric information isn’t compromised.
Assuming you believe that it doesn’t really matter since every other pertinent detail about 1 billion-odd citizens is available. This might have been happening for months, which would mean that multiple copies of that demographic data now exist. The commoditisation of the method — selling the log-in for Rs 500 — indicates that scammers have already harvested whatever they wanted.
The third and fourth incidents are of a different order and the scale is also pretty large. A couple of days ago, security researchers revealed that two major bugs exist that leave pretty much every digital computing device at risk. Apparently, the companies concerned have all been working desperately to try and get these fixed for the past several months. But these vulnerabilities are now in public domain.
The “Meltdown” bug affects most Intel chips manufactured between 1995 and 2013. It can be fixed by a patch which could, however, slow machines down a lot since it affects the way memory works. Exploiting this is also pretty easy — there are already a half dozen exploits released into the wild.
The “Spectre” bug is harder to exploit. But it is even harder to fix and it affects Intel, AMD, and ARM processors, which means that it takes out smartphones, laptops, desktops, and servers. One really nasty possibility is that somebody could exploit this by buying a few hours on a cloud service and stealing the data of every other user of that cloud. Plugging this vulnerability will be hell. If these vulnerabilities have already been exploited, it would be hard to tell because there would be no trace of intrusions.
Cloud service providers will have to figure out radical solutions. Do you replace every server with a non-vulnerable chip? Do you live with slow, and potentially vulnerable services? Users will also have to figure what they can live with. The three alternatives are slower, somewhat safer services versus more expensive, faster safer services versus faster, but more vulnerable services. Meanwhile, chipmakers must be wondering if class-action suits are on the cards.
The Aadhaar database itself is quite possibly open to these two vulnerabilities as well. Given the UIDAI’s lackadaisical attitude to security, who knows if it will be fixed? It doesn’t matter anyway. If you have signed up for the 12-digit number, you now need to change your name, you email id, residential address, phone number, associated bank accounts, etc. But you can relax, your biometric data is (supposedly) secure.