Blowing the lid off what could possibly be one of the biggest data breaches of unique identity database of over a billion Indians, a report by Huffpost on Tuesday claimed that UIDAI’ database has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users.
What is Aadhaar software hack?
According to the report, a software patch, which can be bought for as little as Rs 2,500, allows unauthorised persons, based anywhere in the world, to generate Aadhaar numbers.
A patch is a set of code that is used to change a computer program or update, fix, or improve it. This includes fixing bugs. However, it can also be used to introduce vulnerabilities. The report claimed that the Aadhaar software patch allowed users to bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
Why is it a security risk?
The report said that Aadhaar patch disables the enrolment software’s GPS security feature which is used to identify the location of enrolment centres. Turning off GPS would allow anyone to use the software to enrol users from anywhere in the world.
How the software patch makes Aadhaar vulnerable to ghost entries?
While the government has trumpeted weeding out of illegal beneficiaries from various central schemes as one of the major successes of Aadhaar, the latest revelations may deliver a body blow to Centre’s tall claims.
The report claims that the patch reduces the sensitivity of the enrolment software’s iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
If this is true, then the software patch could be used to create ghost entries into Aadhaar database. The new IDs created in UIDAI may also be misused to siphon off rations meant for poor.
How did the hack happen?
In 2010, the UIDAI allowed private agencies to enrol users to the Aadhaar system in order to speed up enrolments. In the same year, Bengaluru-based Mindtree won a contract to develop an official, standardised enrolment software – called the Enrolment Client Multi-Platforma (ECMP )- that would be installed onto the thousands of computers maintained by these private operators.
Instead of using a web-based system in which all software would be installed on the UIDAI’s own servers and enrolment operators would have a user name and password to access the system, softwares were installed on each enrolment computer.
According to the report, B. Regunath, a software architect who led the team at Mindtree that worked on the project, said a web-based enrolment software for Aadhaar was not practical at the time because many parts of the country had very poor Internet connectivity.
To make data security foolproof, more features were added to the software that was used by Aadhaar enrolment operators. They were required to log in to the software by first providing their own fingerprint or iris scan. Also, a GPS device was attached to verify the location.
However, the report claimed that in early 2017, these security features were bypassed by a software hack. There is also a video on YouTube which offers a step-by-step guide to bypass these security features.
Unique Identification Authority of India (UIDAI) has dismissed the claims as completely baseless. Refuting the allegations, UIDAI said no operator can make or update Aadhaar unless an individual gives biometrics details.
The UIDAI said that it matches all the biometric – 10 fingerprints and both iris – of a resident enrolling for Aadhaar with the biometrics of all Aadhaar holders before issuing an Aadhaar, and so the claims of introducing information into Aadhaar database were “completely unfounded”.