After an investigation by HuffPost revealed the existence of a software patch that can be used to disable critical security features of the Aadhaar enrolment software, the UIDAI has dismissed the report in a statement.
“No operator can make or update Aadhaar unless the resident himself gives his biometric. Any enrolment or update request is processed only after biometrics of the operator is authenticated and resident’s biometrics is de-duplicated at the backend of UIDAI system,” UIDAI said.
According to the HuffPost investigation, the easy availability and widespread use of the patch has potentially compromised the biometric and personal data of over a billion enrolled Indians.
The patch, available for as little as Rs 2,500, allows individuals located anywhere in the world to generate the unique 12-digit Aadhaar number. This not only busts the age-old line proffered by the government on the Aadhaar database being secure, but also more importantly raises huge national security implications.
The seriousness of the compromise can be gauged from the claim that sourcing the patch is as easy as “gaining access to one of the many WhatsApp groups where it is being sold”. Moreover, the HuffPost report says that using the patch is as simple as “installing the enrolment software on a PC.”
UIDAI Rubbishes Claim
In a series of tweets, UIDAI said that the media’s vested interests are aimed at confusing people – which is unwarranted. The government agency also asserted that all necessary safeguards were being implemented to provide standardised software that encrypts data before saving it to any disk.
They also clarified that no operator can make or update Aadhaar unless the residents provide their biometrics.
“We keep adding new security features in our system as required from time-to-time to thwart new security threats by unscrupulous elements,” the statement said.
Why this Breach is BIG
Experts who have analysed the software patch have highlighted a number of damaging characteristics about the controversial database.
- The patch allows a user to completely bypass the biometric authentication of enrolment operators. This enables the user to generate unique Aadhaar numbers independently.
- An individual anywhere in the world can use the software to enrol users because the patch allegedly disables the enrolment software’s GPS feature.
- It makes spoofing iris-scanning easier, potentially allowing the user to use a high-resolution photograph of a registered operator rather than requiring the operator to be present physically.
The national security implications of such a breach are massive as it allows a direct entry and intervention of a database that contains highly sensitive and personally identifiable information of nearly the entire Indian population. To make matters worse, the Central Repository Database is also seeded organically and inorganically with a host of other databases such as banks, mobile service providers and health records among others.
Can my Personal Data be Stolen?
According to the investigation carried out by Rachna Khaira, Aman Sethi and Gopal Sathe, the software hack is unusual in the sense that it does not seek access to or steal information contained within the database but rather tries to introduce new information to it.
This one-way mechanism is nonetheless dangerous because it directly defeats a number of UIDAI’s primary claims. The aims include reducing corruption, tackling black money, eliminating fraud and identity theft.
Software Patch Tutorials Common on YouTube
The investigation by HuffPost has also shed light on the fact that the patch is commonly available among enrolment operators. This, in fact, appears to be so widespread that a search for “emcp bypass aadhaar” on YouTube reveals dozens of videos offering steps to bypass the security mechanisms.
The report says that once the patch has been installed, it affords an operator the luxury of logging into multiple machines simultaneously thereby “reducing the cost per enrolment, and increasing their profits” according to the report.
Experts Validate Vulnerabilty
HuffPost had the patch analysed by three independent security researchers, all of whom went through the code to confirm that “the vulnerability is intrinsic to a technology choice made at the inception of the Aadhaar programme”. This means that fixing the threat would “require altering Aadhaar’s fundamental structure”.
Gustaf Bjorksten, chief technologist at Access Now, a global technology advocacy organisation, has said that fixing the problem would require “radical change” in the system as many entities would find it profitable to scale the patch globally.
Anand Venkatanarayanan, a cybersecurity researcher based in Bengaluru, analysed the patch and revealed that it was created by grafting older versions of the enrolment software onto the newer versions.
Dan Wallach, Professor of Computer Science, and Electrical and Computer Engineering, at Rice University in Houston, Texas, upon going through Anand’s report confirmed it as correct and said it was something that could be engineered in order to bypass security protocols and allow access.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)