Aadhaar Software hacked: Who is to blame for the compromised database of millions of Indians?

The Unique Identification Authority of India (UIDAI) might have to answer questions as new report claims to have found a new security flaw in the Aadhaar identity database. According to a three-month long investigation by HuffPost India, biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enroll new Aadhaar users.

Surprisingly, the patch is freely available for as little as Rs 2,500. This opens up the vulnerability to unknown people, who can generate Aadhaar numbers at will, and is still in widespread use, added the report.

HuffPost India has also verified the information via global security experts from three different locations. All three confirmed that the hack is very much, real.

What exactly is hack?

The software has been compromised on three levels:

1. The patch allows a user to bypass critical security features such as biometric authentication of enrolment operators to generate unauthorized Aadhaar numbers.

2. Secondly, the patch disables the enrolment software's in-built GPS security feature. This is used to identify the location of an enrolment centre. This implies that the hack allows anyone in the world to use the software, to enroll users.

3. Lastly, the patch reduces the sensitivity of the enrolment software's iris-recognition system. With this trick, an unknown person can fool the software with a photograph of a registered operator, rather than requiring the operator to be present in person.

Security experts comment on the vulnerability

Security expert Gustaf Björksten, Chief Technologist at Access Now, a global technology policy and advocacy group said, “Whoever created the patch was highly motivated to compromise Aadhaar.” He added, “There are probably many individuals and entities, criminal, political, domestic and foreign that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile. To have any hope of securing Aadhaar, the system design would have to be radically changed.”

Also, Bengaluru-based cyber security analyst and software developer Anand Venkatanarayanan said, “They have used some of the files from earlier versions of the Aadhaar software, which did not have these security features, and they have also made changes that remove other security checks.”

The report pointed out that Venkatanarayanan's findings were confirmed by Dan Wallach, Professor of Computer Science, and Electrical and Computer Engineering, at Rice University in Houston, Texas. He said, “"Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer.”

Who is to be blamed?

It is believed that the hack goes back to 2010. That year, private agencies were allowed to enroll users to the Aadhaar system in order to speed up enrolments. The contract was won by a Bengaluru-based company Mindtree which developed a software called the Enrolment Client Multi-Platform. This platform was later installed on thousands of computers maintained by these private operators.

The end result? Over 180 million Indians were enrolled onto this platform by February this year. Security expert Björksten believed that due to these “common service centres”, critical components of Aadhaar fell in the hands of the enemies of the system.

According to the report, a wiser option would have been to have a web-based system in which all software would be installed on the UIDAI's own servers and enrolment operators would have a user name and password to access the system.

At the moment, the NCIIPC (National Critical Information Infrastructure Protection Centre) and UIDAI (Unique Identification Authority of India) have not made any comment on the matter.

What’s next?

The news of the Aadhaar patch emerges just a few days before the launch of the face recognition facility in the country. The news of the Aadhaar patch emerges just a few days before the launch of the face recognition facility in the country.

Aadhaar-issuing body UIDAI recently announced a phased rollout of face recognition feature as an additional mode of authentication, starting with telecom service providers from September 15. The Authority had earlier planned to roll out face recognition feature from July 1, a target that was later pushed to August 1.

UIDAI proposed a two-factor authentication for use of face recognition by telcos, where an individual provides an Aadhaar number, the authentication will be done using fingerprint or iris and face. For individuals providing Virtual ID, the authentication can be on basis of fingerprint or iris. UIDAI said in case where an individual is unable to authenticate fingerprint or iris, face authentication can be used as an additional mode, to make the system more inclusive.