Aadhaar data security has always remained a highly debated topic. Though there have been several reports questioning the security of the database, UIDAI has always denied these claims. In a recent development, a three-month-long investigation by Huffington Post India has exposed that the data stored in the controversial Aadhaar identity database has been compromised by a software patch.
According to the report, the database containing personal and biometric details of over 1 billion Indians has been compromised. The software patch has disabled the critical security features that are used to enroll new users. It states that the patch is available for as little as Rs. 2,500 and is sold to WhatsApp groups so that unauthorized persons from anywhere in the world can generate Aadhaar numbers as they wish.
What is a Patch
A patch is a bundle of codes that can alter the functionality of software programmes. Usually, patches are used to rollout minor updates to the existing programmes. But patches can be used to cause harm by introducing a vulnerability. This is what has happened in the case of the Aadhaar identity database. The Huffington Post India is in possession of the patch. It has been analyzed by three internationally reputed experts and two Indian analysts.
How harmful is the patch
They have analyzed the patch to find the harmful effects of the patch. Going by the same, the patch lets a user bypass the critical security features to generate unauthorized Aadhaar numbers. Also, it disables the enrollment software's inbuilt GPS that can identify the physical location of the enrollment center. Eventually, anyone from anywhere in the world can use the software and enroll new users.
And, the patch can reduce the sensitivity of the iris recognition system of the enrollment software. This makes it easier to spoof the software using a photograph of a registered operator instead of the physical presence of the operator.
According to the report, the experts involved claim that fixing this vulnerability and other potential threats will require altering the fundamental structure of Aadhaar.
Patch is simple to install
As mentioned above, the report adds that this patch is accessible for as low as Rs. 2,500 and is shared to WhatsApp groups. Even the usernames and passwords required to login to the enrollment gateway of UIDAI is sold.
Using the patch is quite simple as it involves installing the enrollment software on a PC and replacing a folder of Java libraries using the Ctrl C+Ctrl V commands. After installing the patch, enrollment operators need not provide their fingerprint to use the software, the sensitivity of the iris scanner is reduced and GPS is disabled. So, a single operator can log into several machines simultaneously, which will reduce the cost involved in the enrollment and increase their profit.
Potential risk to national security
The security vulnerability is a potential risk to the Aadhaar users at a point in time when the Indian government is making the Aadhaar number mandatory for identification and link it with mobile number and bank account.
The experts say that this Aadhaar hack will create a new set of problems. It might defeat the aims of Aadhaar such as reducing corruption, eliminating fraud and identity theft, and tracking black money. It can also make the Aadhaar database vulnerable to the ghost entries like the other government databases.
The experts suggest that a more secure choice would be a web-based system that has all the software installed on the UIDAI servers. Such a system would require the enrollment operators to have a username and password to access the system. But this was not possible back then as many parts of the country had poor internet connectivity.
The report claims that it has granted access to the patch to NCIIPC (National Critical Information Infrastructure Protection Center). NCIIPC is the government body responsible for Aadhaar security. While the agency is yet to reveal its findings, UIDAI is yet to comment on this claim.