Security through obscurity and fear - PowerPoint Presentation

Slide1

Security through obscurity and fear

Abhinav Srivastava

‹#›Slide2

Who am I ?

IIT Kharagpur graduate 2009, started career as Security researcher at iViZ Security

Founded Qarth Technologies with Govt funding and incubation support at IIT Madras 2011

Developed first version of secure UPI architecture in 2012

Startup acquired by Ola 2016. Now works at Ola Innovation labs on connected cars platform

‹#›Slide3

Why I am here?

‹#›Slide4

What exactly happened ?

An android app was discovered on play store providing aadhaar data via an OTP

The publisher of the app (my personal email) was not an authorised Aadhaar eKYC agency

FUD !!!

‹#›Slide5

How was the app working ?

App was using a publicly available API developed by NIC which was used in one of their app named eHospital

‹#›Slide6

What was the Security Vulnerability ?

No HTTPS,

No SSL Pinning in eHospital App

No request and response payload encryption

Password stored in android appNo demographic validation and rate limiting on server

Basically an insecure public API over the globe for providing aadhaar details through OTP

‹#›Slide7

Why developed such an app?

‹#›Slide8

Why developed such an app?

Fake Aadhar is a serious problem

Need an easy way to validate the Aadhar number

A simple android app can empower the citizens to verify an Aadhaar Card in seconds

Never save user’s aadhaar data in any form in the process.

‹#›Slide9

Why was the hype?

Case tagged as a network security issue

Hyped up by media as national security breach

Nobody - media/police understood the technology behind the app

Overaggressive approach by police and judiciary - State vs Abhinav Srivastava

‹#›Slide10

Key Questions?

Does

Aadhaar database got hacked ? - NO

Was it a

National Security Issue ? - NOIs Aadhar ecosystem secure? NOIs there any other security loophole ? MAYBE

‹#›Slide11

Q & A ?

‹#›