Reports on new vulnerabilities in Aadhaar are becoming so regular that it’s often surprising if an entire week actually manages to go by without any new incident.
Now, Asia Times is claiming that on top of all the security lapses that’s been plaguing Aadhaar, the controversial national ID system is also susceptible to illegal access by operators who can easily bypass biometric and geo-location safeguards via a modified Aadhaar enrollment software, known as ECMP, which is reportedly available illegally for anything between Rs 500 to Rs 2,000.
The ECMP software allows authorized operators to collect biometric data such as iris scans and fingerprints, as well as sensitive private details, such as proof-of-address and date of birth. While the software has baked-in safeguards to ensure such private data doesn’t fall in the wrong hands, the Asia Times report says “material gleaned from group WhatsApp messages of erstwhile private operators and complaints to the UIDAI reveal that the software has been compromised”.
What that means in essence is that it is now possible to bypass the biometric and geo-location safeguards to illegally access the Aadhaar database by simply paying the token amount for the hacked ECMP software. In fact, the modified software has apparently been doing the rounds of black market since late last year, enabling unscrupulous elements to pose as an authorized operator and sign up anyone illegally.
Two cyber-security experts who spoke to Asia Times on the condition of anonymity, seemed to agree that the safeguards have been breached for good. According to them, “disabling or ‘spoofing’ the GPS checks gives rise to the possibility of the enrolment happening anywhere in the world, thereby allowing even foreign nationals who have never visited India, to enrol in Aadhaar”, says that report.
The publication says it has send a list of questions to the CEO of UIDAI, Ajay Bhushan Pandey, and the Chairman, J. Satyanarayana, to better understand what the organization is doing to to plug the security loophole. Unfortunately, it doesn’t look like there’s been a response from either up until now.