A three-month-long investigation claims to have cracked a software patch that compromises the security of the data stored in Aadhaar identity database. The patch, which isn't developed formally by the Unique Identification Authority of India (UIDAI), allegedly allows hackers to generate unauthorised Aadhaar numbers by disabling the security features of the official Aadhaar enrolment software. It is said to come at a one-time charge of as low as Rs. 2,500 and is reportedly already used by many enrolment operators across the country.
Aadhar comprising of a patch software database
The new hack is believed to have its roots in the decision that UIDAI took back in 2010 to speed up the enrolment process by opening it for private operators. Notably, the report highlighting the fresh Aadhaar patch emerges just ahead of the launch of face recognition facility by the Aadhaar-issuing body. The facility will bring face recognition in addition to iris and fingerprint scan to verify users.
"Whomever [sic] created the patch was highly motivated to compromise Aadhaar," said Gustaf Björksten, Chief Technologist at Access Now. Björksten was among the analysts who analysed the patch. According to the report, the patch came into circulation in early 2017. Björksten added that the patch was the work of more than one coder.
Björksten noted the decision to offer an installation package instead of giving a cloud-based solution to private enrolment operators put the critical components of Aadhaar at risk. This also eventually opened the avenue for a hack like the latest patch that is reportedly working on top of the enrolment software, and was created by "grafting code from older versions of Aadhaar enrolment software - which had fewer security features - on newer versions of the software".
It is also said to disable the GPS and reduce the sensitivity of the iris scanner as well as extends to the duration of each login session. Since the patch enables private operators to use the enrolment software without using their fingerprints, a single operator can log into multiple machines simultaneously. This helps reduce the cost per enrolment and thus increasing its adoption among enrolment operators who are reportedly paid as little as Rs. 30 per enrolment.
HuffPost India claims that it provided a copy of the patch to National Critical Information Infrastructure Protection Centre (NCIIPC) earlier this year, but the government body that is the nodal agency responsible for Aadhaar security declined to share its findings. UIDAI also didn't respond to the communication made before publishing the development. Moreover, some evidence of the mass-usage of the patch can be seen from the YouTube videos showing "ecmp bypass" tutorials.
UIDAI is currently working on a face recognition facility that was delayed in the recent past. The facility is aimed to bolster security by verifying users through facial recognition alongside iris and fingerprint scan.