UIDAI Aadhaar software hacked using a patch that disabled critical security: Report

Update: The UIDAI has responded to these allegations and the copy has been updated accordingly. The Unique Identification Authority of India (UIDAI) will have some more questions to answer, now that yet another security flaw has been discovered. According to an investigation by HuffPost India, the UIDAI Aadhaar software used to enrol new users, and get them into the Aadhaar database, may have been subjected to a hack using a software patch that disabled critical security features. This software patch is reportedly available for as low as Rs 2,500 and allows unauthorised people to login as Aadhaar enrolment operators to register anyone and generate Aadhaar numbers, irrespective of the location from where the software is accessed. [caption id=“attachment_4645531” align=“alignnone” width=“1024”] Woman using an iris scanner for UIDAI Aadhaar registration. Image: Reuters[/caption] This software patch basically compromises the inbuilt security features on the Aadhaar enrolment software on three fronts. First, it bypasses the need for authentication of the person using the software to enrol new people. Secondly, the patch disables the software’s inbuilt GPS security feature, letting anyone from anywhere access this software and enrol people. And finally, the patch reduces the sensitivity of the Aadhaar enrolment software’s iris recognition feature, thereby making it easier to manipulate the software using a photograph of the registered operator. HuffPost India consulted with five experts to analyse and confirm the working mechanism of the patch. To prevent any more violations of the Aadhaar enrolment software via this patch, the entire enrolment system would have to be redesigned according to one expert. The report states that the vulnerability may have been inserted in the patch, during the time when Aadhaar enrolment software was used by private agencies to enrol people. According to a software architect at MindTree, a Bengaluru-based firm who worked on making the first Aadhaar enrolment software, which would be used by private Aadhaar operators registering citizens. Security measures such as biometric authentication, GPS location and more were added to the software back in 2010. But subsequent software patches introduced vulnerabilities around 2017 which would bypass these security measures. The UIDAI has responded to these allegations by saying: “Unique Identification Authority of India dismisses a news report appearing in social & online media about Aadhaar Enrolment Software being allegedly hacked as completely incorrect and irresponsible. The claims lack substance and are baseless”.

#PressStatement
UIDAI hereby dismisses a news report appearing in social and online media about Aadhaar Enrolment Software being allegedly hacked as completely incorrect and irresponsible. 1/n

— Aadhaar (@UIDAI) September 11, 2018

You can read the complete investigation on HuffPost India. This is yet another addition to the various vulnerabilities we have seen with regards to the Aadhaar database.

Earlier this year, in an investigation conducted by The Tribune, found that access to Aadhaar databases was easily available. With a payment of Rs 500 made online, the investigating team were **able to obtain a 'Login ID and username' to a portal** which allowed all particulars listed under any given Aadhaar number to be accessed. The anonymous ‘agents’ running the racket were found to be operating on personal chat platforms such as WhatsApp to get in touch with potential buyers. In another instance, an RTI query pushed UIDAI to reveal that about  **210 government websites made**  the Aadhaar details of people with Aadhaar, public on the internet. The report pointed out that the data was removed from the websites but it did not mention about the time frame of the leak of the data. We all know about the many instances where French security researcher going by the name, Elliot Alderson (after the protagonist character in the hacker drama Mr Robot), **revealing flaws in the mAadhaar app** which had left potential loopholes for hackers to access Aadhaar database using the demographic data. You can get a complete lowdown on all the **various instances of Aadhaar database being hacked** and what were the consequences of each of these hacks. Most recently, TRAI chief RS Sharma had dared a Twitter user to cause him harm and **promptly published his Aadhaar card number online** . A lot of online users had a field day misusing Sharm’s Aadhaar number to leak his **personal details** , **threaten his daughter** and even order OnePlus 6 with a cash on delivery option to Sharma’s residence. Sharma still maintains that no harm was caused to him, but UIDAI later released a statement asking the general public to **avoid sharing their Aadhaar number online.** In each of the case where Aadhaar database was compromised, the standard response from the UIDAI has been that **Aadhaar database is secure** as the biometric data isn’t hacked.