Threat Watch

Somdev Sangwan

A hacker has already figured out a way to compromise India’s Aadhaar system after the head of the Telecom Regulatory Authority of India challenged anyone to compromise the system.  The user who posted the data goes by the name Somdev Sangwan, and posted a blog online explaining how the time to compromise most passwords to the system could be accomplished within 3 seconds, theoretically.  He explains that to log into the system you use your Aadhaar number and a password.  The passwords are locked in as the first four letters of your name in uppercase and the year of your birth.  This means that if you have a person’s Aadhaar number you could very easily figure out their password by learning how old they are.  Assuming that you do not have a specific person in mind and just simply want to compromise as many accounts as possible, Sangwan has figured out that the number of possible combinations is over 282 billion possibilities for each password–which would take over 90 years to crack if 100 combinations are tried each second.  Sangwan was able to shorten that time by removing years that were clearly not possible, breaking the password into 2 parts, and utilizing the most popular names by religion and popularity, to just 1.73 seconds per password theoretically.  While the speed of Sangwan’s system has not yet been tested, the fact the passwords are fixed and are made with only the first four letter of the user’s name and their year of birth shows that the system is extremely vulnerable to being compromised by criminals with minimal research and social engineering skills.  While the Indian government was hoping to show that they could create a secure system by challenging hackers to compromise the Aadhaar system, this post has served to do the exact opposite.

ANALYST NOTES