The ‘inside jobs’

Last week, The Tribune reported that one of its journalists carried out a “sting” operation by accepting an offer that was promoting a service being offered by anonymous sellers over WhatsApp. The offer provided unrestricted access to details for any of the approximately 1.12 billion Aadhaar numbers created in India thus far.

Rachna Khaira, the journalist from the newspaper, claimed in a news article that all it took was Rs500 paid through Paytm, and a 10-minute wait for a representative of the group running the racket to create a “gateway” for her and to give her a login ID and password to the gateway. Once she was on the gateway, she could enter any Aadhaar number in the gateway’s portal, and instantly get all particulars that an individual may have submitted to the Unique Identification Authority of India (UIDAI) for the issuance of his/her Aadhaar card, including the individual’s name, address, postal code, photo, phone number and email. She also claimed that The Tribune team paid an additional Rs300 for the agent to provide “software” that could print the Aadhaar card after entering the Aadhaar number of any individual.

In response, UIDAI clarified that there had been no “breach” of citizens’ data and that the reported case was actually an instance of misuse of its grievance redressal facility. Further, UIDAI said it maintains complete logs of the use of its database; so it has identified the culprits and lodged a first information report against the persons involved, including the journalist. UIDAI also clarified that this was not a breach per se, since it appeared that people who had legitimate access to the data were selling it illegitimately.

In my simplistic understanding of this incident, it seems to me that what UIDAI is saying here is that there wasn’t really a burglary through breaking and entering, but that this was an “inside job” instead. I don’t know about you, but I would certainly be miffed if someone had stolen something from me that I had given a trusted third party to hold for me securely; making a distinction between a thief from the outside and a thief from the inside would be of scant comfort.

Troubling as last week’s news about this “security flaw” may seem, there was even more ominous news last week about internal security problems that affect a larger swathe of the world’s population. New reports say that a team of security analysts from Google Inc. had found that there were two major security flaws in the design of the central processor units (CPUs) which are found at the heart of a majority of the world’s computers, tablets and smartphones sold over the last 20 years. 

The CPU is the innermost core of any computing device; it is the “chip” that powers your machine and is essentially the brains of the machine. Whenever you do anything with your machine— whether it is typing this column like I am, or running an app or programme, or speaking to your mobile phone’s voice recognition intelligent assistant—you are sending a series of commands to the CPU to execute on your device, and possibly to also communicate with other devices over the internet. This is as deep as an “inside job” can get.

The researchers called the first hardware bug “Spectre”. It gives attackers a way to fool what are otherwise error-free programmes into sharing information by breaking the isolation between various applications. 

The other bug, which the Google researchers named “Meltdown”, literally melts down the divide between user applications and an operating system (OS). By exploiting Meltdown, a hacker can use one programme to access the memory of another programme or a device’s OS. Meltdown affects desktops, laptops as well as cloud computers. However, so far, Google’s researchers have only verified it on Intel CPUs.

This means that if you think you’re running one particular programme in isolation (say a word processing programme), you actually are not, because that programme can be used to affect the workings of other programmes or apps that you think you’re not currently using on your computer. The research team’s report, available on meltdownattack.com, warns that Spectre and Meltdown give hackers the ability to steal a device’s entire memory content. That means they have access to your photo database, instant messages, emails, passwords and a lot more.

Let the enormity of that sink in. It means that the computer, smartphone, or tablet that you are reading this on is very likely among the majority of the computers sold in the last 20 years. 

The Google team first discovered these flaws in June 2017, and the plan was for the tech community to disclose them to the public on 9 January 2018. 

The purpose for the secrecy was to give companies time to address the issues before the news spread, but rumours and early reports forced public disclosure on 3 January. The team says that so far, they haven’t found proof that anyone has used the bugs for nefarious purposes, but now that the news about them is out, that could soon change. 

Tech companies are working furiously to push out security patches that cover for these vulnerabilities, so you would be wise to download and install the latest version of software for your machine.

As long as you don’t mind your battery performance falling by a large amount, that is. In other recent news, Apple Inc. has admitted that it deliberately degraded the battery performance in its older iPhone models with each new version of iOS phone software that it has pushed out over the last few years. Like the Aadhaar incident and the CPU vulnerabilities, this is an “inside job”; critics say it is a deliberate attempt by Apple to force the obsolescence of older devices. If you don’t believe that, just try changing an iPhone’s battery by yourself.

Siddharth Pai is a technology consultant who has led over $20 billion in complex, first-of-a-kind outsourcing transactions. He now works as an advisor to Boards, CEOs, and investors to help them strengthen and execute their global technology strategies in an increasingly uncertain and volatile world.

*This article first appeared in print in the Mint and online at www.livemint.com

For this and more, see: