2018 BSides Toronto: Dolev Farhi

alright folks we have arrived at our last talk of the day thank you very much for sticking it out because you are in for a treat biometrics are a thing and what we have here is a challenge of securing out of heart it is an interesting biometric database in India and to talk about that we have Dola Farhi thank you please give it up for it olive there's actually a nice picture of Taj Mahal but you can't see it for some reason so first I would like to acknowledge the volunteers and and besides organizers you guys do amazing things every year it's just getting better and better so thank you just before I start I want to talk about

the the idea of a biometric database in general this talk is not about whether the idea is good or bad it's about an existing system and how it functions today rather than the biometric database is a shitty idea that's not what I'm going to be talking about this is a serious system that is ongoing and there's a lot of issues around it so that's what I'm gonna be discussing so my name is dole EV I'm a security engineer at a large Indian by Fink tech company in the past I used to work for f5 and cyber-ark I moved to Toronto three and a half years ago from Israel some of you may be know me from DC 4 and 6 occasionally I

do our UT research for McAfee and the shameless plug I'll be releasing a book at secretary in a few days if you have a opportunity to be there we'll have free copies for everybody

so the presentation goes like this so I'm gonna be talking a little bit about India in general then we're gonna move on to a higher introduction the echo system and a higher security so India is a very special place I've been in India twice I've never seen anything like it before best drivers in the world best drivers in the world live in India so let's talk about the demographics the reason why they're so good is because today there is 1.35 billion people in India it's a mind-blowing number next by 2028 there it's estimated to go above one point forty five billion people and to surpass China by 2050 it's gonna go north of 1.7 billion people there is no why I said

it's a India and how India have the best drivers is because it looks like this and there are zero accidents zero accidents I'm not kidding India is one of the fastest developing countries in the world today which basically will allow you to understand why I've hired such a big thing and why India is actually digital pioneer in that space as well so pop quiz out of 1.35 billion people how many do you think have internet access today guesses you can guess seven seventy percent twenty percent twenty percent okay so around forty percent around five hundred and twenty million people it's a large number but it's still only around forty percent so not a lot of people have internet access

in India today you know it's trivial for us to have internet but in many other cases around the world it's not the case so internet is a fundamental thing for us but not over there but there is a more fundamental problem other than Internet access the problem is that the biggest barrier preventing the poor in India from getting benefits is proving their identity so some people in India just don't have documents can you imagine not being able to prove who you are it's crazy thinking about it so not everyone has a password in India a driver's license or even a birth certificate so India needed a solution and as I mentioned before India wants to

be a digital pioneer so the Indian government launched a campaign called digital India back in 2015 and it has three simple goals connect rural areas to the Internet bring all front and government services online meaning that you can do everything online you don't have to go anywhere India is a big country a lot of rural areas it's very difficult for people to get to places and sorry and lastly create opportunities for citizens so if you have internet access you have access to knowledge you have easier access to certain services that the government provides and and so on so this how is this related to at heart so if you take the fact that Indians have

some of them have a hard time proving who they are and have or don't have any documents at all they decided that maybe a biometric database is a good idea so that's where a heart comes into place into into place so on her was actually way before the digital India campaign started it was already there it was accumulating more and more more and more members but the digital India campaign actually gave it a boost so what is at heart so it doesn't stand for anything it's it means foundation in multiple Indian languages I believe it Stan it's it it's in Hindi Sanskrit and maybe other languages there is around 22 I think official Indian languages so it

stands for foundation but it's more than just a word it's a 12-digit random number linked to a residence biometric identity but it's not only a number it's an entire ecosystem a complex a very complex system that is functioning today with a lot of components involved in in in the authentication part of it and the enrollment part of it which I'll get to in a few seconds and one thing that is extremely important for you to know is that it's governed by one entity called UI dai which stands for unique identification Authority of India it's a little difficult to say five layers every time because I'm gonna be referencing your idea except multiple times so I might just say UI dai maybe

I'll say at the heart database just so you know it's governed by one one entity which is also a problem so today UID I are the only ones who can sue people for mishandling and and misusing our hard data you as as a citizen cannot sue a company or sue the government for mishandling your your your data if somebody leaked it or anything else like that UID AI are the ones who can do this and another thing that is important to know about at har is that it's it's used as a proof of residence shape rather than proof of citizenship so what are the goals are basically to allow easier access to public and private sector

services in hence delivery of welfare benefits this is done by there's a thing called direct benefit transfer for that if you have a car you can get government benefits directly to your bank account accelerate passport issuing process something that is very trivial for us can take a relatively long time without har it accelerates that process it can take shorter time and it helps identifying sorry rap it helps identifying individuals like duh of course but it's it's more geared towards natural disasters criminal cases and things like that so so identifying for the purpose of safer India it prevents the need to resubmit documents to the government so when you enroll in different services in India you have to come up with different

documents every time it's a pain for people who have difficulties getting those documents and proving themselves or who they are every single time they need to enroll in some kind of service and it prevents fraudulent subsidies claims so in the past people used to resubmit claims over and over again in order to extract money from the from the government with us how it makes it a little more complex and it allows for inclusion that's a big thing so UID AI or a foreign general the idea of it is to include all citizens and allow equal rights for everybody whether if you have money or you don't have money you will be able to enroll in services just for

being Indians a resident so it the goal is to allow for everybody to use that system it claims to be a zero knowledge system meaning that they have no idea what you're doing who you authenticate with and so on so they claim that they don't have a way to profile you so let's talk about the ecosystem in architecture so there are two components to a car there's the enrollment part which is what I'm going to be talking right now how you get into the system and there's the authentication part which I'll talk in a bit so one day you decide that today is a good way good day to enroll in a car so the first step is making a

decision this is what I want to do I want better benefits for myself easier access let's enroll the second phase is you go to an enrollment agency our enrollment agencies are all over India these days and they take your name your date of birth your gender your address your photo to iris scans and ten fingerprints this is mandatory if you enroll in a car it's not optional the only thing that optional is optional is email and the phone number but you will need phone number down down the road anyways and then from the enrollment agency your data ghost you can go through two routes one is by the enrollment agency sending that data to a post office on encrypted disks

or through SFTP and the second option is using a registrar that is basically authorized by you rdài to get that data from you to the database and that information goes up to upstream UID AI that's enrollment service once the data is there it goes through the sorry the duplication process meaning do I know this record I've I seen it before if not it goes to a couple of integrity checks if everything is good you get a 12-digit number and you get a letter delivered to your home with all the information you need to know about at har at the end of this process you end up with a hard card and an L car which is a PDF digital

version of a heart but it beats the purpose in in the way that at har want to eliminate paper in general it's a paperless system but because people use it for as a proof of identity they decided that they will also grant physical cards quick note on it Hara is a password-protected PDF if your name is John Doe and you were born 2018 your password is John 2018 that's a big problem because of the leaks another interesting article I'll have a reference a link in the references at the end of the of the presentation somebody made basically the age group of India is I think the 0 to 14 is about I remember most of the most of the country

are around 15 to 64 in age so the it's easy to brute-force the passwords also because some of the names are very common in India and that's a big problem another problem is with the enrollment process so if we looked at this there's a problem that enrollment agencies get paid for every single successful enrollment that means they are motivated to get some information whether it's a real person or not into the database so fifty thousand Roman agencies have been blacklisted since at har inception no joke and the fines are around ten thousand rupees I can remember what rupee is converted to Canadian dollars but it's not a lot and I think they get banned for about four or five years so

what were they banned for they were banned for sending at Harbor as little as two rupees fraudulent enrollments and it's a submission of fake documents so they would come up with fake documents and just submit it and maybe that entry was not in the database it enrolled successfully they got money today there are 23,000 enrolment agencies registered but only 880 are active so this is the enrollment part let's talk about the authentication part so the there are four players in the in the Adha ecosystem there's the client which is you the resident there is the service provider which is can be a bank can be a telco there's a proxy and there is UI dai so every time you want to

authenticate to a service this is this is the flow of the information so let's say that you want to open a bank account you go to your bank you enroll sorry you authenticate with your ATAR so for example you can do an OTP authentication you you provide them the at heart number you get an SMS and you go through an authentication process so the way you idea is made it is that they will have a proxy author ID proxies getting that information from from the service providers which can be private companies as well and they will able to do be able to streamline all the authentication requests by saying ok I trust these 30-something proxies they'll be able to

kind of like there's some details mitigations there and also a way to control all the information that they get so this this is the basic the basic flow now it's it looks simple right there's only four players but not really there is billions of users there's 317 service providers registered today and there's 31 proxies that means the information goes to many places some service providers work with multiple proxies so your information can can be anywhere in this picture so let's talk about the authentication statistics so it's a lot of information a lot of volume of requests so daily between 18 million 234 million authentications a day now an authentication means you enroll in some service so that's a lot

of data a lot of information a lot of a lot of companies have at our data it's not just about it being in a database somewhere so let's talk about some of the hard security so problem like I mentioned that are traverses many paths until actually reaches the d the end database so over 200 government websites so far leaked as hard data the largest one was I think 131 million records but I wanted to check how bad it really is when it comes to security so what I did was asking myself can it really be that bad so this is this was my plan my plan was phase 1 find all of India's government websites so this is a

convenient way of doing this there is a website called GUI directory it's the government of India directory it has all the government websites that there they have to offer phase to scrape the website phase 3 getting those websites sorry I jumped to phase 3 scraping resulted in 6300 domains there were actually over 9,000 not the catch phrase from Dragon Ball Z there were over 9,000 domains but only 6300 were responsive phase 3 finger print all the websites I wanted to know exactly what's what's in there so this is how it goes 1,600 FTP servers 771 SSH servers 192 RDP servers 6100 web servers 123 SMBs ironically 23 telnet 1050 my sequel servers and almost 1300

my sequel server sorry DNS servers at some point I need to go to India so I decided only to focus on the web and and get some understanding what those websites are and how they look like what do they offer and things like that I want to ask so I was sitting at home preparing this this presentation I was asking myself maybe you guys think the same way if a website has a design from the 90s does that mean necessarily that the security will be bad yes or no no yes how many yes how many no okay sir so if user interface is any indication to the level of security it's not good it's not good this is not it this is not

like a exception there are many like this I'm with those who raise their hands when yeah the under construction logo yeah I'm with those who think that design from the 90s probably means that security is not practiced really well so what did I find so we faced government websites there is like defacement pages still there publicly open administration panels vulnerable services we all know that those happen they're actually listing with sensitive data indexed CSVs and PDFs of at hard data including those yet har that I mentioned now if you take into consideration there's one point eight point thirty something billion Indians and the age group is from 15 to 65 root forcing is not a big deal

and Google dorking for at har cards will return really scary results so 15 percent of the websites use only HTTP 55 percent of those who have HCBS never redirect in the first place to HTTPS 58 percent 50 percent of the websites don't use any kind of security headers 90 percent of the WordPress instances are on a vulnerable in version one thing that is important to mention this is not you I di this is not the authority that hosts all that information it's it's incredibly important to understand this a lot of govern in daeun government entities use a hard data and are potentially can potentially leak that data so there is as far as I know as far as my research

research gone I could not find a reference that shows you idea i leaked at heart their data directly I could not find this but that doesn't mean that it's okay to leak data if he didn't come from the root source so next thing that I checked is the SSL certificate issuers 43% let's encrypt what's interesting is the 5% self-signed so six teeth out six thousand websites five percent that's three hundred yeah three hundred websites use self signed certificate publicly GoDaddy GeoTrust seven six percent Interest 10 percent cPanel which I didn't even know were see a 14 percent come out of 15 percent so let's talk about UI dai in Journal so what why why is that hard such a discussed topic so

there's some confusion between the fact at har data is all over the Internet and whether UID a I was was breached there was no proof of that but you IDI is basically using boolean statements we are secure that's it so on their website there's a FAQ the first thing that you see or at least one of the top five that you see is a question so is it true we keep on hearing in media that at our data was breached at our database has never been breached during the last seven years of its existence stories around a data breach are most cases of misreporting at hard data is fully safe and secure at you idea and

that's the eyeball it it because that's the key here it may be safe there I don't know but it's not safe in all the way there so there's a lot of players that have that data and obviously it doesn't seem like like security is being practiced really well so as long as it doesn't come from you idea it seems like it's not a big of a problem or at least they're dismissing any kind of reports about an horror leaks because nobody proof that it came from them and I mentioned at the beginning that they're the only ones who can sue people or sue companies for mishandling the data and that's a problem for the citizen so how many

people actually have ATAR so there is 1.35 billion Indians around one 1.2 billion have ATAR or are enrolled in at heart today so this is the enrollment trend so every day there is around sorry every month there's around 3.2 million new enroll people who are enrolled January head around 7 million so it's still growing so you must be asking yourself so at her must be mandatory if you have so many people who are enrolled no it's not mandatory but how is it possible how did they get so many people into the database when there's like so much noise going on around privacy concerns and security concerns so it's not mandatory but good luck opting out

no tax returns no government benefits no loans no mutual funds no H no insurance no scholarships no sim card there is a couple of asterisks there and the reason why this is this is in red is because this is a still ongoing thing until two days ago banks were could ask for a youtube link at heart to the bank account today they can no longer do it so there are still discussions happening in the Supreme Court of India be linking at how at least allowing people to enroll in services without the need for at har but so they managed to do that for I think the the banks maybe but in other places you still have to

link the at heart to whatever service you are enrolling so how is this possible in the first place where you have so many people enrolled so many problems and suddenly everything is linked to at har but it's not mandatory so how the hell did this happen and my thought on this is this the salami technique is rolling out a service with a serious impact extremely slowly so that the people who are impacted are not going to notice and by the time they notice it's going to be way too late it's a it's a really dumbed down version of what sorry technically is but it shows you that something can start and you won't realize and it's going to be

all over the place and I think that's one of the concerns of biometric database in general is that more and more services are going to use that and you will have to be on a database so what are the some of the the problems with biometric databases is that people are afraid of be profiled when you if they're know if there are in fact is your knowledge system sorry if they are not at zero knowledge system then they know exactly whose authenticate or whose asking for your data or to prove who you are then they can profile you okay you want it you want to enroll for a bank account okay we know that now you talk

to this bank and that bank so they they can build a profile around you and understand your your path or what you're doing in your day to day so there's a privacy concern there obviously and also having everything in one single database of 1.22 billion records with with biometric data is is a concern for good reasons so the bottom line is our security depends heavily on the lynx-o supply chain problems are everywhere and it seems that as long as it's not a direct you idea.i leak there will probably not be no like concrete steps are going to be taken to ensure that nothing at leaks or at least people can be held accountable for misusing at

hard data I think that's it for me I think I think we have time for questions right do we yeah cool any questions yeah so very good question so usually the the the companies that enroll so the authentication part does not require companies don't have Ortiz they shouldn't have your biometric data but cards and scans of cards and the PDFs have been leaked and those have their like your information in general yeah sorry can you repeat the question

yep

I don't I can remember it being mentioned as a like a attack vector at least in the HAR case maybe one of the things that they actually found was the service provider replaying authentication on behalf of the user without them knowing yeah in what oh I only know about one case that that happened maybe here not that I'm aware they know that I'm or yeah so one of the things that you if you're on Twitter you will see a lot of hard debates one of the things that that is kept being mentioned is the use of like insecure apps and things like that but there's no concrete information that it leaks from the main database but they believe that

it happened they're just not willing to acknowledge it yeah

so yeah it's a good question so you come up with a couple of documents that you should have but at the end of the day they scan you if they and if the record is not there you will be on the database you can try yeah

mm-hmm

hmm

yeah that's true

it's taking response it's a problem of taking responsibility on the process

yeah there's a problem throughout the process in general there was one like recent case where somebody managed to bypass like operator security protections and he could or at least he mentioned that he could enroll freely and then new idea I rejected that saying hey the Integrity's checked failed in the back end maybe you on the client-side received successful yeah you enrolled successfully but in the database that that didn't happen again it's it's a matter of we don't really have enough understanding what's happening in the back end so it's all a lot of assumptions yeah I read a lot yeah

mm-hmm

mm-hmm

yep pankkar yeah

I think it's both any question yeah that's a really good question I don't know the reason behind it it seems extremely weird but there is 23 registered 23 K and only 800 of them are active but they'll also consider the fact that there is already one point 22 billion people in the in in in Adar yeah

which which part so the the the enrollment agencies those are private there they are contracted by UI dai to do the enrollment the authentication part so the authentication part you need license to be part of the authentication in general so the proxies need a proxy license they are called ASAS I changed some there's a lot of acronyms around as har I tried to narrow down to only what you actually need to know to understand the concept but there is a thing called like a si which is the proxy and there's the user authentication publishes the service provider they all need license so they are all you can't just easily introduce a malicious component at least

not that's that's not what I think you can do like the service providers are private sector some of them yeah and yet yeah

yeah that that's one of the concerns actually that that the service providers are sharing that information to profile you that's one of the unknowns any other questions yeah great question so one of the things that you IDI mentions in there there's like the Attar act is you need to be secure but they don't mention any kind of like house so it's okay I'll be secure thank you yeah yeah sorry yeah can you repeat that that's that's why that's why we're here it's a very good question and and I think if only the the entity that governs at Harkins two people that's the that's a really big problem because nobody can be held accountable for anything yeah

yeah so they have been patching some of the fundamental problems for example the other ID they created something called a virtual ID that is like a temporary number linked to your ATAR car ID that you can revoke kind of so they are doing some things they have in terms of architecture security architecture it's pretty impressive but again if the leaks are coming from elsewhere then that's a that's a big problem cool thank you very much thank you thank you all right folks we are at closing ceremonies now I'd like to thank you all for sticking around today and even those of you running for the door