[UPDATE: – 12/09/2018 – 1:37PM : UIDAI has dismissed reports of Aadhaar enrollment software hack with a security patch]
Original story published on September 11, 02:54PM
According to a recent report, the Aadhaar identity database (Aadhaar ID) which contains the biometrics and personal information of over 1 billion Indians has been compromised by a software patch. The software patch reportedly disables critical security features of the Aadhaar software that Government is using to enroll new Aadhaar users.
A report by HuffPost India claims it is in possession of the security patch, which bypassed Aadhaar‘s critical security feature in its enrollment software. It is said to have been analyzed by three internationally renowned experts, and two Indian analysts.
The alleged software patch is claimed to be freely available for Rs 2,500 on the web and is still in widespread use. The experts analyzed the patch and found that it can bypass critical security features such as biometric authentication of enrollment operators to generate unauthorized Aadhaar numbers. It is said to disable the enrollment software’s in-built GPS security feature, which means it compromises the ability to track enrollment person’s physical location.
But not just that, it can even reduce sensitivity of the enrollment software’s iris-recognition system, making it easier fool the enrollment software with a photograph instead of enrollment person’s eye.
Experts also say that the software patch is unusual and it doesn’t seek to access information stored in the Aadhaar database, but rather looks to introduce information into it.
“There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile,” report quoted Gustaf Björksten, Chief Technologist at Access Now, a global technology policy and advocacy group. “To have any hope of securing Aadhaar, the system design would have to be radically changed.”
It appears to be a big security failure on UIDAI, and experts suggest that the vulnerability fix could mean the complete change in Aadhaar’s fundamental structure.
Update: September 12: UIDAI has tweeted that it has “taken all necessary safeguard measures spanning from providing standardized software that encrypts entire data even before saving to any disk, protecting data using tamper proofing, identifying every one of the operators in every enrollment, identifying every one of thousands of machines using a unique machine registration process, which ensures every encrypted packet is tracked,” the statement said.
…so that their enrolment/updation is done only on authorized machines and their efforts do not get wasted because of rejection of their enrolments or updates . (The list of authorized Aadhaar Kendra is available on UIDAI website https://t.co/Sy2gBGp78t).
— Aadhaar (@UIDAI) September 11, 2018
“Any enrollment or update request is processed only after biometrics of the operator is authenticated and resident’s biometrics is de-duplicated at the backend of UIDAI system,” the statement added.
The claims lack substance and are baseless. UIDAI further said that certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted. 2/n
— Aadhaar (@UIDAI) September 11, 2018
“If an operator is found violating UIDAI’s strict enrolment and update processes or if one indulges in any type of fraudulent or corrupt practices, UIDAI blocks and blacklists them and imposes financial penalty upto Rs1 lakh per instance. It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted,” said UIDAI.