Abhinav Srivastava Who am I IIT Kharagpur graduate 2009 started career as Security researcher at iViZ Security Founded Qarth Technologies with Govt funding and incubation support at IIT Madras 2011 ID: 692905
Download Presentation The PPT/PDF document "Security through obscurity and fear" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Security through obscurity and fear
Abhinav Srivastava
‹#›Slide2
Who am I ?
IIT Kharagpur graduate 2009, started career as Security researcher at iViZ Security
Founded Qarth Technologies with Govt funding and incubation support at IIT Madras 2011
Developed first version of secure UPI architecture in 2012
Startup acquired by Ola 2016. Now works at Ola Innovation labs on connected cars platform
‹#›Slide3
Why I am here?
‹#›Slide4
What exactly happened ?
An android app was discovered on play store providing aadhaar data via an OTP
The publisher of the app (my personal email) was not an authorised Aadhaar eKYC agency
FUD !!!
‹#›Slide5
How was the app working ?
App was using a publicly available API developed by NIC which was used in one of their app named eHospital
‹#›Slide6
What was the Security Vulnerability ?
No HTTPS,
No SSL Pinning in eHospital App
No request and response payload encryption
Password stored in android appNo demographic validation and rate limiting on server
Basically an insecure public API over the globe for providing aadhaar details through OTP
‹#›Slide7
Why developed such an app?
‹#›Slide8
Why developed such an app?
Fake Aadhar is a serious problem
Need an easy way to validate the Aadhar number
A simple android app can empower the citizens to verify an Aadhaar Card in seconds
Never save user’s aadhaar data in any form in the process.
‹#›Slide9
Why was the hype?
Case tagged as a network security issue
Hyped up by media as national security breach
Nobody - media/police understood the technology behind the app
Overaggressive approach by police and judiciary - State vs Abhinav Srivastava
‹#›Slide10
Key Questions?
Does
Aadhaar database got hacked ? - NO
Was it a
National Security Issue ? - NOIs Aadhar ecosystem secure? NOIs there any other security loophole ? MAYBE
‹#›Slide11
Q & A ?
‹#›