Earlier this year in May, reports emerged that a tampered version of UIDAI’s Aadhaar enrollment software, which bypassed the original software’s security features and allowed any unauthorized person to create an Aadhaar number, was being sold online. UIDAI swiftly denied the reports, but a recent in-depth investigation has revealed that UIDAI’s ‘super-secure’ Aadhaar enrollment software has been hacked and a patch allowing the hack is being sold for just Rs. 2,500.
An 3-month long investigation conducted by Huffington Post India has uncovered the existence of a patch which disables all the critical security features of UIDAI’s official Aadhaar enrollment system and allows any person to create an Aadhaar number, from anywhere in the world.
The patch has been assessed by 3 international and two Indian software security experts, who confirmed it working and the danger it poses. The patch overcomes the biometric authentication protocol of the Aadhaar enrollment software – called the Enrolment Client Multi-Platform – and also reduces the accuracy of the iris recognition system, making it easy to spoof the software with a print-out of an iris, instead of 3D verification, letting anyone other than a certified Aadhaar enrollment operator add new members.
As stated in the original report months ago, it also disables the software’s mandatory GPS feature for tracking the whereabouts of an Aadhaar enrolment center, making it possible to create an Aadhaar ID from any place across the globe. Interestingly, the patch was created using code from older builds of UIDAI’s enrollment software which had multiple security flaws and according to the latest report, it is being widely used across the nation.
Security experts who analyzed the patch revealed that using the patch is as simple as installing any software, and then copy-pasting folders to crack the Aadhaar enrollment system.
Gustaf Björksten, Chief Technologist at Access Now, a global technology policy and advocacy group, and one of the experts consulted by Huffington Post for the investigation said Aadhaar is a high-level target for criminals. “There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile.
“To have any hope of securing Aadhaar, the system design would have to be radically changed,” he added
Huffington Post claims it provided access to the patch to the National Critical Information Infrastructure Protection Centre (NCIIPC), the government body responsible for overseeing Aadhaar security. However, the agency is yet to disclose its findings. UIDAI has not yet commented on the report, nor did it respond to the publication’s questions.