UIDAI's Aadhaar software has been subjected to a lot of criticism, but the Modi-led government has maintained a strong stand supporting UIDAI's database security. Any claim challenging the security of what is turning out to be the golden standard for citizen identification in India cannot be taken lightly and the latest breach demands urgent attention.
HuffPost India discovered a major breach in UIDAI's Aadhaar software that poses a national security threat. A software patch, which is available freely for as low as Rs 2,500, is capable of disabling critical security features of Aadhaar software, which then allows perpetrators to enrol new Aadhaar users.
The patch was analysed by five experts, all of whom confirmed the destructive characteristics of the malicious software. This is a national security-level breach as almost every citizen in India is enrolled in the Aadhaar database.
The software patch, which can be easily installed on a PC, allows a user to bypass the crucial biometric authentication of enrolment operators. Since the malicious software also disables the enrolment software's GPS, 13-digit unique Aadhaar numbers can be generated from anywhere in the world. Finally, the software also makes it easy to manipulate iris-scanning by using a high-resolution photograph, eliminating the need for a registered operator to be physically present.
Making the matters worse, Gustaf Björksten, Chief Technologist at Access Now, a global technology policy and advocacy group, said that fixing the vulnerability would require altering Aadhaar's fundamental structure.
"There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile," Björksten, who analysed the patch for HuffPost India, said. "To have any hope of securing Aadhaar, the system design would have to be radically changed."
Anand Venkatanarayanan, a cybersecurity researcher based in Bengaluru, also analysed the patch and said that it was created by grafting older versions of Aadhaar software on to the newer versions. Venkatanarayanan also shared his findings with NCIIPC government authority, which is responsible for Aadhaar security, but the authorities haven't shared a press statement on the matter yet.
The findings were additionally analysed and confirmed by an international analyst and a professor of Computer Science, and Electrical and Computer Engineering, at Rice University in Houston, Texas, Dan Wallach.
UIDAI dismisses reports of the Aadhar software being hacked.
"Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer," Wallach said.
Even though the software patch doesn't access information stored in the Aadhaar database, it adds new users without legit verifications. Nonetheless, the implications are quite serious as invalidated entries can siphon off rations of multiple people, stripping them of their basic fixed quotas.
Not just ration, any government-related schemes will attract similar dangers, defeating the purpose of having Aadhaar for a myriad of things such as reducing corruption, tracking black money, eliminating fraud and identity theft.
Can this misuse of Aadhaar be confined? The question remains unanswered.