On September 11, 2018, Huffington Post India published an article titled, “UIDAI’s Aadhaar software hacked, ID database compromised, Experts confirm”. UIDAI has released a press statement that the claims made by HuffPost ‘lack substance and are baseless’.
The HuffPost article — co-authored by Rachna Khaira, Gopal Sathe and HuffPost India Editor-in-Chief, Aman Sethi — said that the Aadhaar database has been compromised.
This has been done via a software patch, which disables important security features of Aadhaar’s enrollment software. According to the article, the patch is available for as little as $35 or INR 2500 and it can be used by anyone to generate Aadhaar numbers at will.
The claims made by the authors of the article are backed by Gustaf Bjorksten, the Chief Technologist at Access Now, and Anand Venkatanarayanan, who is a Bengaluru-based cyber security analyst and software developer.
Both of these security experts analysed the patch and confirmed that the software patch poses a security risk.
Dan Wallach, Professor of Computer Science and Electrical and Computer Engineering at Rice University in Houston, Texas, confirmed Venkatanarayanan’s findings.
According to the Huffpost article:
“The software patch is unusual in that it doesn’t seek to access information stored in the Aadhaar database, but rather looks to introduce information into it.
This, experts said, creates a whole new set of problems and could defeat many of Aadhaar’s purported aims, such as reducing corruption, tracking black money, eliminating fraud and identity theft. It also means that the Aadhaar database is vulnerable to the same problems of ghost entries as any other government database.”
Not the first time this security issue has been pointed out
This isn’t the first time that this security issue with UIDAI’s Aadhaar project has been pointed out. A report by Saikat Datta for Asia Times dated May 1, 2018, talks about the Aadhaar enrollment software being compromised.
According to the Asia Times article:
“WhatsApp messages of erstwhile private operators and complaints to the UIDAI reveal that the software has been compromised. This allows illegal access to the Aadhaar database by by-passing the biometric and geo-location safeguards.
Messages posted in several WhatsApp groups among Punjab-based operators began to surface at the end of last year, offering to sell a “jailbreak” version of the software. This version, to be installed on the laptops of anyone willing to pay the amount, could bypass the biometric and geo-location safeguards.”
UIDAI is riding the same ignorance train they’ve been for years now and have released a press statement that basically says that their Aadhaar system is unhackable and everyone else who says otherwise is basically lying and is part of the people with ‘vested interests’.
“UIDAI hereby dismisses a news report appearing in social and online media about Aadhaar Enrolment Software being allegedly hacked as completely incorrect and irresponsible,” UIDAI said in their statement to the press.
“The claims lack substance and are baseless. UIDAI further said that certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted.”
They further go on explaining how stringent measures are taken in order to ascertain that no fake Aadhaar cards are issued, stating that ‘ no operator can make or update Aadhaar unless resident himself give his biometric’ — the same biometric security can be bypassed using the software patch.
This adds to a list of issues that UIDAI’s Aadhaar has faced related to security and privacy of those who are being enrolled, especially because the government has pushed citizens to link their Aadhaar number to bank accounts, mobile numbers and more.
While the software can not access existing records, it can make fake new ones that can be used for things like illegal immigration to creating new bank accounts under a fake identity.
Not to forget, all this while, UIDAI still hasn’t been able to prove the validity of Aadhaar card in the Supreme Court of India, who had ruled against it being mandatory earlier this year.
The entire press statement by UIDAI is as follows:
UIDAI hereby dismisses a news report appearing in social and online media about Aadhaar Enrolment Software being allegedly hacked as completely incorrect and irresponsible.
The claims lack substance and are baseless. UIDAI further said that certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted.
Claims made in the report about Aadhaar being vulnerable to tampering leading to ghost entries in Aadhaar database by purportedly bypassing operators’ biometric authentication to generate multiple Aadhaar cards is totally baseless.
The report itself accepts that “it (patch) doesn’t seek to access information stored in the Aadhaar database”.
Its further claim “to introduce information” into Aadhaar database is completely unfounded as UIDAI matches all the biometric (10 fingerprints and both iris) of a resident enrolling for Aadhaar with the biometrics of all Aadhaar holders before issuing an Aadhaar.
All necessary safeguard measures are taken spanning from providing standardized software that encrypts entire data even before saving to any disk, protecting data using tamper proofing, identifying every one of the operators in “every” enrolment identifying every one of thousands of machines using a unique machine registration process, which ensures every encrypted packet is tracked.
Full measures are taken to ensure end-to-end security of resident data, spanning from full encryption of resident data at the time of capture, tamper resistance, physical security, access control, network security, stringent audit mechanism 24×7 security and fraud management system monitoring, and measures such as data partitioning and data encryption within UIDAI controlled data centres.
It is further clarified that no operator can make or update Aadhaar unless resident himself give his biometric.
Any enrolment or update request is processed only after biometrics of the operator is authenticated and resident’s biometrics is de-duplicated at the backend of UIDAI system.
As part of our stringent enrolment & updation process, UIDAI checks enrolment operator’s biometric and other parameters before processing of the enrolment or updates and only after all checks are found to be successful, enrolment or update of resident is further processed.
Therefore it is not possible to introduce ghost entries into Aadhaar database.
Even in a hypothetical situation where by some manipulative attempt, essential parameters such as operator’s biometrics or resident’s biometrics are not captured, blurred and such a ghost enrolment/update packet is sent to UIDAI the same is identified by the robust backend system of UIDAI, and all such enrolment packets get rejected and no Aadhaar is generated.
Also, the concerned enrolment machines and the operators are identified, blocked and blacklisted permanently from the UIDAI system. In appropriate cases, police complaints are also filed for such fraudulent attempts.
Similar allegations were also made before the Hon’ble Supreme Court during hearing of the Aadhaar case before the Constitution Bench which were then adequately responded by the UIDAI in the Hon’ble Supreme Court.
The reported claim of “anybody is able to create an entry into Aadhaar database, then the person can create multiple Aadhaar cards” is completely false. Some of the checks include biometric check of operator, validity of operator, enrolment machine enrolment agency, registrar, etc. which are verified at UIDAI’s backend system before further processing. In cases where, any of the checks fails, the enrolment request gets rejected & therefore any claim of creating multiple Aadhaar & compromising the database is false.
If an operator is found violating UIDAI’s strict enrolment and update processes or if one indulges in any type of fraudulent or corrupt practices, UIDAI blocks and blacklists them and imposes financial penalty upto Rs.1 lakh per instance.
It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.
We keep adding new security features in our system as required from time-to-time to thwart new security threats by unscrupulous elements.
People are also advised to approach only the authorized Aadhaar enrolment centres in bank branches, post offices and Government offices for their enrolment/updation so that their enrolment/updation is done only on authorized machines and their efforts do not get wasted because of rejection of their enrolments or updates .
The list of authorised Aadhaar Kendra is available on the UIDAI website.
Writes news mostly and edits almost everything at Candid.Technology. He loves taking trips on his bikes or chugging beers as Manchester United battle rivals.
Contact Prayank via email: [email protected]