The Unique Identification Authority of India (UIDAI) might be in for some more controversy in the coming days as an investigation by a news website has found serious lapses in Aadhaar security.
Yes, according to the HuffPost India Aadhar software has been hacked. According to this, the UIDAI Aadhaar software used to enroll new enroll, and get them into the Aadhaar database, may have been subjected to a hack using a software patch that disabled critical security features. This software patch is reportedly available for as low as Rs 2,500 and allows unauthorized people to login as Aadhaar enrolment operators to register anyone and generate Aadhaar numbers, irrespective of the location from where the software is accessed.
A patch is a bundle of code used to alter the functionality of a software programme. Companies often use patches for minor updates to existing programmes, but they can also be used for harm by introducing a vulnerability as in this case.
HuffPost India is in possession of the patch and had it analyzed by three internationally reputed experts, and two Indian analysts (one of whom sought anonymity as he works at a state-funded university), to find that:
- The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorized Aadhaar numbers.
- The patch disables the enrolment software’s in-built GPS security feature (used to identify the physical location of every enrolment center), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enroll users.
- The patch reduces the sensitivity of the enrolment software’s iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
The experts consulted by HuffPost India said that the vulnerability is intrinsic to a technology choice made at the inception of the Aadhaar programme, which means that fixing it and other future threats would require altering Aadhaar’s fundamental structure.
“Whoever created the patch was highly motivated to compromise Aadhaar,” said Gustaf Björksten, Chief Technologist at Access Now, a global technology policy and advocacy group, and one of the experts who analyzed the patch at HuffPost India’s request.
“There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile,” Björksten said. “To have any hope of securing Aadhaar, the system design would have to be radically changed.”
Bengaluru-based cybersecurity analyst and software developer Anand Venkatanarayanan, who also analyzed the software for HuffPost India and shared his findings with the NCIIPC government authority, said the patch was assembled by grafting code from older versions of the Aadhaar enrolment software—which had fewer security features— on to newer versions of the software.
NCIIPC, or National Critical Information Infrastructure Protection Centre, is the nodal agency responsible for Aadhaar security.
Venkatanarayanan’s findings were confirmed by Dan Wallach, Professor of Computer Science, and Electrical and Computer Engineering, at Rice University in Houston, Texas.
“Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer,” Wallach said.
The new software patch doesn’t give read access to the Aadhaar database but instead enables the addition of new information to the Aadhaar system. This means that using the patch, fake identities could be added to the Aadhaar database. “If anybody is able to create an entry in the Aadhaar database, then potentially the person can create multiple Aadhaar cards. Then the same person can siphon off rations of multiple people,” said Rajendran Narayanan, Assistant Professor, Azim Premji University, Bengaluru, as quoted by HuffPost India.
HuffPost India claims that it provided a copy of the patch to National Critical Information Infrastructure Protection Centre (NCIIPC) earlier this year, but the government body that is the nodal agency responsible for Aadhaar security declined to share its findings. UIDAI also didn’t respond to the communication made before publishing the development. Moreover, some evidence of the mass-usage of the patch can be seen from the YouTube videos showing “ecmp bypass” tutorials.
We’ve reached out to UIDAI for clarity on the patch and also emailed a questionnaire to UIDAI CEO to understand the future steps to ensure legit registrations. We’ll update this space accordingly.
UIDAI is currently working on a face recognition facility that was delayed in the recent past. The facility is aimed to bolster security by verifying users through facial recognition alongside iris and fingerprint scan.