Elliot Alderson: The hacker who started the Aadhaar security controversy
What's the story
TRAI chairman RS Sharma is in the midst of a storm now after his Twitter challenge on Aadhaar's security majorly backfired. Hackers have already exposed several personal details about Sharma, and has even deposited money in his bank account. The entire episode is an extension of the debate on Aadhaar's security, precipitated by French ethical hacker Elliot Alderson. Who is he? We elaborate.
Latest
Sharma left red-faced again; was Alderson right about Aadhaar?
Despite UIDAI rubbishing claims that Sharma's personal details were stolen from the UIDAI database using his Aadhaar number, the episode isn't over yet. Now, TOI has reported that ethical hackers have also deposited Re. 1 to Sharma's bank account, and have found Sharma's other bank accounts, IFSC codes, and even a particular payment history. All this is reminiscent of Alderson's earlier warnings about Aadhaar.
Origins
It started in March when Alderson hacked the Aadhaar app
It all started in March when Alderson, whose real name is Baptiste Robert, hacked into the Aadhaar app within a minute and reportedly gained access to 22,000 Aadhaar card details. Despite Alderson's findings, UIDAI remained adamant about the robustness of Aadhaar's security. Notably, this wasn't the first instance of Alderson hacking into government portals.
Context
Alderson finds a loophole, makes his findings public
Initially, Alderson had found a loophole in the Aadhaar's Android application which revealed that users' biometric data was being saved in a local database by app developers whose password wasn't too difficult to obtain. "These cards can be found on the internet. They are not on the UIDAI server. Everything is public, no hack is required," he said.
Twitter Post
Alderson had shared his findings on Twitter
How to bypass the password protection of the official #Aadhaar #android #app in 1 minute.
— Elliot Alderson (@fs0c131y) March 13, 2018
For this attack, the attacker need a physical access to the phone, rooted phone is not needed and yes this is the latest version of the app.
cc @uidai @ceo_uidai pic.twitter.com/7aZ0fvr0Wv
Motive
Alderson is a French security expert and app developer
Alderson is a French security expert who is a network and telecommunications engineer by profession. He claims to have no ulterior motive behind his revelations other than highlighting serious security vulnerabilities so that they can be patched at the earliest. To be transparent about the whole process, Alderson openly communicates with the concerned organizations on Twitter, and often publicly posts DM conversations with them.
Inspiration
Alderson is inspired by renowned whistleblower Edward Snowden
The French developer draws inspiration from renowned whistleblower Edward Snowden. "By nature, I'm curious and I like to understand how things are working which often leads by finding security flaws," he said. The 28-year-old cybersecurity expert does not have any sort of team behind him and follows a "standard process" to find security flaws.
Feathers in cap
Aadhaar not the only platform Alderson has exposed
On February 25, Alderson accessed the database of the Telangana government's benefit disbursement portal TSPost. This contained personal information of 56 lakh beneficiaries of the National Rural Employment Guarantee scheme and 40 lakh beneficiaries of social security pensions. He had also earlier highlighted that Paytm was seeking root access to users' devices, after which the mobile payments company removed the root request.
Trivia
Not impossible to achieve almost 100% privacy online: Alderson
Previously, Alderson has discovered vulnerabilities in the online portals of Punjab Police, Indian Postal Service, Apollo Hospitals, and BSNL. He says that even though it is "complicated," it is not entirely impossible to achieve almost 100% privacy online. Interestingly, his username has been inspired by a character by the same name from the television series Mr. Robot, who is also a vigilante hacker.
UIDAI's claims
However, the UIDAI's claims might have some truth too
Yet, for all of Alderson's alleged successes, it's important to note that the UIDAI's defense against Alderson's claims also holds some ground. UIDAI points out that all the information pulled was available on the public domain owing to Sharma's long history of public service. For instance, Sharma's mobile number was pulled from the NIC website, his email from the IIT-Delhi alumni portal, etc.