An investigation by HuffPost has revealed the existence of a software patch that can be used to disable critical security features of the Aadhaar enrolment software. The easy availability and widespread use of the patch has potentially compromised the biometric and personal data of over a billion enrolled Indians.
The patch, available for as little as Rs 2,500, allows individuals located anywhere in the world to generate the unique 12-digit Aadhaar number. This not only busts the age-old line proffered by the government of the Aadhaar database being secure but more importantly raises huge national security implications.
The seriousness of the compromise can be gauged from the claim that sourcing the patch is as easy as ‘gaining access to one of the many WhatsApp groups where it is being sold’. Moreover, the article says that using the patch is as simple as “installing the enrolment software on a PC.”
Why this Breach is BIG
Experts who have analysed the software patch have highlighted a number of damaging characteristics about the controversial database.
- The patch allows a user to completely bypass the biometric authentication of enrolment operators. This enables the user to generate unique Aadhaar numbers independently.
- An individual anywhere in the world can use the software to enrol users because the patch allegedly disables the enrolment software’s GPS feature.
- It makes spoofing iris-scanning easier, potentially allowing the user to use a high-resolution photograph of a registered operator rather than requiring the operator to be present physically.
The national security implications of this kind of breach are massive as it allows a direct entry and intervention of a database that contains highly sensitive and personally identifiable information of nearly the entire Indian population. To make matters worse, the Central Repository Database is also seeded organically and inorganically with a host of other databases such as banks, mobile service providers and health records among others.
Government Position on Aadhaar Busted
The expose on the UIDAI database hack also busts the position the Modi Government has taken to defend the security of the Aadhaar database. IT Minister Ravi Shankar Prasad, CEO of UIDAI Ajay Bhushan Pandey and more recently TRAI Chairman RS Sharma have all made the following two claims:
- The UIDAI database is secure.
- The biometric data – fingerprints and iris – have not been compromised.
This hack has demonstrated the possibility of bypassing security features in the Aadhaar framework (meant to prevent unauthorised operators from functioning), even those relating to biometrics, and of course enrolling new Aadhaar numbers, which could lead to duplication and fraud.
Can my Personal Data be Stolen?
According to the investigation carried out by Rachna Khaira, Aman Sethi and Gopal Sathe, the software hack is unusual in the sense that it does not seek access to or steal information contained within the database but rather tries to introduce new information into it.
This one-way mechanism is nonetheless dangerous because it directly defeats a number of UIDAI’s primary claims. The aims include reducing corruption, tackling black money, eliminating fraud and identity theft.
Software Patch Tutorials Common on YouTube
The investigation by HuffPost has also shed light on the fact that patch is commonly available among enrollment operators. This, in fact, appears to be so widespread that a search for “emcp bypass aadhaar” on YouTube reveals dozens of videos offering steps to bypass the security mechanisms.
The report says that once the patch has been installed, it affords an operator the luxury of logging into multiple machines simultaneously thereby “reducing the cost per enrollment, and increasing their profits” according to the report.
Experts Validate Vulnerabilty
HuffPost had the patch analysed by three independent security researchers, all of whom went through the code to confirm that “the vulnerability is intrinsic to a technology choice made at the inception of the Aadhaar programme”. This means that fixing the threat would “require altering Aadhaar’s fundamental structure”.
Gustaf Bjorksten, chief technologist at Access Now, a global technology advocacy organisation, has said that fixing the problem would require ‘radical change’ in the system as many entities would find it profitable to scale the patch globally.
Anand Venkatanarayanan, a cybersecurity researcher based in Bengaluru, analysed the patch and revealed that it was created by grafting older versions of the enrolment software onto the newer versions.
Dan Wallach, Professor of Computer Science, and Electrical and Computer Engineering, at Rice University in Houston, Texas, upon going through Anand’s report confirmed it as correct and said it was something that could be engineered in order to bypass security protocols and allow access.