• Associate Sponsor

IIT Kharagpur graduate hacked Aadhaar data through Digital India app: Police

The complaint to the police stated said that Srivastava had accessed UIDAI data without authorisation between January 1 and July 26 for an app called ‘eKYC Verification’.

Written by Johnson TA | Bengaluru | Updated: August 4, 2017 9:38 am
aadhaar card, aadhar issues, aadhar supreme court, aadhaar privacy matter, india news, indian express news “As a highly qualified technical expert, Srivastava had a deep interest in developing Android mobile apps. He developed the Aadhaar e-KYC verification mobile application in January 2017 and earned about Rs 40,000 from advertisements,’’ Bengaluru Police Commissioner T Suneel Kumar said on Wednesday.

An IIT Kharagpur graduate who has been accused of hacking into the central identities data repository of the Unique Identification Development Authority of India’s (UIDAI) Aadhaar project gained access to the repository through the Digital India e-hospital initiative of the Ministry of Electronics and Information Technology, police investigation has revealed. Bengaluru Police on Thursday formally announced the arrest of Abhinav Srivastava — a 31-year-old hailing from Uttar Pradesh — in connection with a complaint of unauthorised access of the central identities data repository filed by the UIDAI on July 26.

The complaint to the police stated said that Srivastava had accessed UIDAI data without authorisation between January 1 and July 26 for an app called ‘eKYC Verification’. The app delivered demographic data like name, address, phone number of individuals from the central identities data depository of Aadhaar to authenticate unique identity numbers. It was placed on Google Play Store with the claim that it was developed by an entity called myGov linked to the start-up Qarth Technologies, which had been acquired by the taxi hailing service Ola in 2016.

Investigations by the police cyber crime unit since the detention of the software engineer revealed that Srivastava hacked into the Aadhaar-enabled e-hospital system created under the Digital India project of the Government of India to access the central identities data repository of UIDAI for verification of Aadhaar numbers for his ‘eKYC Verification’ app.

“As a highly qualified technical expert, Srivastava had a deep interest in developing Android mobile apps. He developed the Aadhaar e-KYC verification mobile application in January 2017 and earned about Rs 40,000 from advertisements,’’ Bengaluru Police Commissioner T Suneel Kumar said on Wednesday. “The accused accessed UIDAI data through the e-hospital application and its server. He provided Aadhaar information to people through the app.’’

“He managed to hack into the server of the e-hospital system and, using this system, he used to send verification requests to the UIDAI database for his own app. The UIDAI system allowed access under the impression that the authentication requests were coming from the e-hospital system and it was not apparent that the query was unauthorised,’’ a police source said.

At the time of his arrest, Srivastava was employed with Ola after the start-up Qarth Technologies he created, with a IIT Kharagpur batchmate Prerit Srivastava, was acquired by Ola in March 2016 in order to take over an e-wallet app called X-pay developed by the start-up. Srivastava was earning Rs 40 lakh a year at Ola, Kumar said. The source said, “He has developed as many as five mobile apps. We are investigating if the eKYC Verification app he developed was used in any form by Ola. The app was used by around 50,000 people after it was placed on Google Play Store.”

Police sources said they were also probing if Srivastava had been aided by anyone in hacking into the e-hospital system. The e-hospital system was created by the government to allow people to make electronic appointments in government hospitals. It has been used in three hospitals in New Delhi — AIIMS, Dr Ram Manohar Lohia Hospital and Safdarjung Hospital.

The e-hospital app, which is hosted on the cloud services of NIC, facilitates online appointments at hospitals “using eKYC data of Aadhaar number, the if patient’s mobile number is registered with UIDAI. In case the mobile number is not registered, it uses the patient’s name”. Srivastava’s eKYC Verification app mimicked the e-hospital app in accessing the identity authentication services of UIDAI.

For all the latest India News, download Indian Express App

  1. P
    Priyank
    Aug 7, 2017 at 2:24 pm
    Just shows how unsafe Aadhar card is which can hacked by an IIT graduate and the stupid gov seems to be forcing it upon the citizens by linking it to every gov and non-gov service.
    (1)(0)
    Reply
    1. C
      CyberNinja
      Aug 4, 2017 at 8:39 pm
      esme konsi badi baat hai digital india app ko unpack karke koi v uska resourse study karke directly attack kar sakta hai adhar k server se koi v info fetch kar sakta h kyuki india ki tech bhut piche h unko encryption kya hota h pata hi nahi h
      (2)(0)
      Reply
      1. P
        Priyank
        Aug 7, 2017 at 2:30 pm
        Thanks. I'll decompile the app straight away
        (1)(0)
        Reply
      2. S
        Shibu.P
        Aug 4, 2017 at 5:19 pm
        Aadhar is a very initiative, like the social security number of the US. I fully agree with it and support it. I will say that no data is not safe, if we have the right minds then any data can be accessed. Now the trick is to stay ahead, we should use our IIT minds to help us protect our data. I am sure there are smarter IIT minds out there who can help us build a better and safer firewall, we are not using our IIT minds, and we are just giving the smart brains to US for them to develop their country. I guess the political leaders don't want our people to progress so they can still get votes saying the same thing said in 1947 "mere pyaare kissan bhaiyoo....." (come on guys how many leaders have come and gone, and those kissan bhai is still saying "mera number ayaga"). Dear leader bhai, you have not reached the kissan bhai, you were trying to reach in 1947 yet. Please let the smart people handle the digital India, IIT and IISc have the best brains in the world.
        (1)(0)
        Reply
        1. E
          EVM SELECTED FEKU
          Aug 4, 2017 at 4:50 pm
          in same way feku and govt is EVM selected and not peoples mandate
          (1)(0)
          Reply
          1. T
            taxpayer
            Aug 4, 2017 at 1:51 pm
            Without proper security measures to the vital data, government has hurriedly linked Aadhaar to PAN, phone number, GST, bank account etc. Now - the supreme court must hang all those responsible for not providing the required level of safety to this vital data. Tomorrow, the same thing may happen even to national security data and banking systems. Of late - IITians are causing more damage to the nation and society than anti-nationals, anti-humans and terrorists. For this reason, ancient Indians did not give knowledge to every TOM- and Harry. They gave knowledge only to those having worthiness of possessing it, and using it for a common cause.
            (1)(0)
            Reply
            1. Load More Comments