UIDAI has decided to provide facial recognition via images captured from a 5MP camera some years back. Is it a step too little and too late for the Aadhaar body?
In another incident, a security flaw in mAadhar app may allow hackers to steal your Aadhar data including the biometric data.
The UIDAI (Unique Identification Authority of India) has now added an extra layer of security for Aadhaar Holders by introducing face recognition in “Fusion” with fingerprints and Iris. The Face Recognition mechanism will act as another layer of verification alongside fingerprints, OTP and Iris authentication.
To make things convenient, UIDAI commented that it will be using the photo of the consumers that was captured at the time of Aadhar enrolment. The facial recognition will give an additional choice for people having trouble with their fingerprints and iris authentication which is supposed to go live by July this year.
How secure is Facial Recognition?
In November 2017, a group of cyber security researcher cracked iPhone’s facial recognition technology just by using a $150 mask. The cybersecurity firm posted a video on their official blog which showed that they had found a way to hack Face ID by using a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. Now given that Apple invested a bug sum to develop the infrared based specialized hardware to capture a 3D image of a person’s face, its dicey how it would compare to the 3-5MP cameras used at the time of enrolment.
Ankush Johar, Director at Infosec Ventures said, “2 factor is good but the face is a bad factor for authentication. Although adding an extra layer of security for Aadhar card holders seems to be a good initiative, adding facial recognition might not do much good as not only it isn’t too difficult to replicate as compared to other biometrics but also the major problem lies in the source of the images used as the authentication mechanism. The photographs captured nearly half a decade back with an extremely low resolution camera stands hardly any chance given that hackers were able to bypass even the 3D face model recognition developed by one of the biggest tech pioneers.”
The second problem is not only the security of facial recognition but the accessibility of the technology. Do you look like yourself on your passport? Nobody does. Why? Because the image is old and you have changed since the time it was captured. The biggest benefit of facial recognition is that you can change it while your physical attributes change and this sole feature isn’t available with UDAI’s mechanism. The base authentication token is pretty old and mainly one cannot update it.
This move by UIDAI, as great as it may be, might have just arrived too little too late. If originally the faces of the consumers had been captured with at least a high definition camera if not an infrared based 3D facial recognition system, deploying it as an authentication of Aadhaar had been much easier, secure and reliable.
A Security researcher alias Elliot Alderson has tweeted a serious security vulnerability in UIDAI’s mAadhaar app for Android devices. According to the researcher, the app is saving user sensitive data including the biometric data in a password protected the local database. The password for the database is generated using a random number “123456789 as seed” and a hardcoded string db_password_123 which remains same for every phone. Besides this, Elliot has also uploaded a proof-of-concept on Github to demonstrate the flaw. He made an application with the exact same code as it was written in the Aadhar app to prove that even if you run it multiple times, it will give you the same password over and over again instead of the randomised password the app is supposed to generate.
The researcher has stated that if a person is able to crack the password, he/she can access the entire Aadhar account details of the user. He further said that as per the documentation for the mAadhaar app, the app will store personal details and the user’s photo in their local database.
UIDAI has however confirmed that the app creates a local database with innocuous data like user preferences. Further, they said that since the app doesn’t ask for any biometric data, such data can’t be compromised.
Although the exploitability of this issue is pretty low, nonetheless, information as critical as Biometrics along with other PII is something that should not be exposed to even the slightest risk. Recently, with alleged leakage of Aadhaar details of over a billion citizens, hackers might already have access to every information printed on our Aadhar cards and can easily replicate it. Even though a person has replicated your Aadhar card, he/she will still need your Biometric info for authentication. If by any chance the hackers are able to gain the biometric data as well, then it will catastrophic. As the UP cloning fraud showed us that making a physical clone of the fingerprints is not too difficult, such leakage could do irreversible damage as you can change your passwords but you cannot change your fingerprints.
