NEW DELHI—The authenticity of the data stored in India’s controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.
The patch—freely available for as little as Rs 2,500 (around $35)— allows unauthorised persons, based anywhere in the world, to generate Aadhaarnumbers at will, and is still in widespread use.
This has significant implications for national security at a time when the Indian government has sought to make Aadhaar numbers the gold standard for citizen identification, and mandatory for everything from using a mobile phone to accessing a bank account.
A patch is a bundle of code used to alter the functionality of a software programme. Companies often use patches for minor updates to existing programmes, but they can also be used for harm by introducing a vulnerability—as in this case.
HuffPost India is in possession of the patch, and had it analysed by three internationally reputed experts, and two Indian analysts (one of whom sought anonymity as he works at a state-funded university), to find that:
- The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
- The patch disables the enrolment software’s in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.
- The patch reduces the sensitivity of the enrolment software’s iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
The experts consulted by HuffPost India said that the vulnerability is intrinsic to a technology choice made at the inception of the Aadhaar programme, which means that fixing it and other future threats would require altering Aadhaar’s fundamental structure.
“Whomever created the patch was highly motivated to compromise Aadhaar,” said Gustaf Björksten, Chief Technologist at Access Now, a global technology policy and advocacy group, and one of the experts who analysed the patch at HuffPost India‘s request.
“There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile,” Björksten said. “To have any hope of securing Aadhaar, the system design would have to be radically changed.”
Bengaluru-based cyber security analyst and software developer Anand Venkatanarayanan, who also analysed the software for HuffPost India and shared his findings with the NCIIPC government authority, said the patch was assembled by grafting code from older versions of the Aadhaar enrolment software—which had fewer security features— on to newer versions of the software.
NCIIPC, or National Critical Information Infrastructure Protection Centre, is the nodal agency responsible for Aadhaar security.
Venkatanarayanan’s findings were confirmed by Dan Wallach, Professor of Computer Science, and Electrical and Computer Engineering, at Rice University in Houston, Texas.
“Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer,” Wallach said.
Indian authorities have declined comment, despite HuffPost India reaching out to both NCIIPC and the Unique Identification Authority of India (UIDAI) on more than one occasion since July this year.
While NCIIPC requested a copy of the patch, which HuffPost India provided in the same month, the agency has declined to share its findings. UIDAI did not respond to HuffPost India‘s mails.
A SERIES OF PRAGMATIC CHOICES
The genesis of the current hack lies in a decision, made in 2010, to let private agencies enrol users to the Aadhaar system in order to speed up enrolments. That year, Mindtree, a Bengaluru-based company, won a contract to develop an official, standardised enrolment software — called the Enrolment Client Multi-Platform (ECMP)— that would be installed onto the thousands of computers maintained by these private operators.
Apart from private enrolment agencies, the UIDAI also signed enrolment agreements with “common service centres” — village-level computer kiosks that help citizens access common e-governance services such as pensions, student scholarships etc. By February 2018, these centres were responsible for enrolling 180 million Indians…..Read More>>>>