Patch selling for Rs 2500 allows manipulation of Aadhaar records, says Report

Last Updated: Tue, Sep 11, 2018 17:35 hrs
How Aadhaar centres are illegally charging you

The security of India's famed Aadhaar is in news again.

According to a latest investigation from Huffington Post, a software patch, selling for as cheap as Rs 2,500 could offer unauthorised people access to billions of Aadhaar related data.

For the laymen a patch is a piece of software that disables critical features. In this case, the patch disables the security features of the Aadhaar enrolment software thereby compromising biometric and personal data of over a billion Indians.

The investigation lays bare the security features promised by the UIDAI as well as raises several questions critical to national security and interestsg.

The latest report is authored by Rachna Khaira, a journalist who in her previous association with The Tribune had reported on access to Aadhaar made available for Rs 500. That story had stirred a hornet's nest.

In the latest report, experts analysing the software patch highlighted characteristics of the controversial database.

Firstly, the patch allows enrollment centers to completely bypass the mandatory biometric authentication. It, thereby enables a user to generate unique Aadhaar numbers independently.

The patch allows individuals to use the software anywhere in the world by disabling the enrollment software’s mandatory GPS feature.

Worse, it makes spoofing iris-scanning easier, thereby allowing an enrollment operator to use a photograph to scan for iris rather than requiring an applicant to be present physically.

Using such a patch could imply to concerns of national security, since a breach of this kind is massive and allows direct entry and manipulation of a database. Considering the database has been marked integral to the public distribution system as well as sensitive and personally identifiable information of nearly the entire Indian population, the security breach is scary.

What appears worse is the fact that a number of banks, mobile service providers and health records utilize the Aadhaar database.

Although the usage of the term "hack" makes it a scary proposition, especially for those who have shared their critical details with the Aadhaar system. The report concedes that the tool may be used only to add new information on already present data and not steal information.

To imply, hackers gaining access to your data may manipulate your details and also enroll newer Aadhaar numbers based on data that you have already furnished.

So far, there is no official communication from UIDAI or TRAI officials. Recent cases involving Aadhaar's security concerns have more or less lead to officials swearing for it's security. Be it TRAI's Chief RS Sharma, UIDAI's CEO Ajay Bhushan Pandey, or the IT minister, most have defended Aadhaar's security.

This hack has demonstrated the possibility of entering the enrolment database and manipulating the data contained within it and also enrol new aadhaar numbers.

The report quotes technology experts in conceding that the manipulation creates a set of newer problems. Problems, that could defeat Aadhaar's purported aims, such as reducing corruption, eliminating fraud and identity theft.

By allowing hackers and manipulators, the report concedes, that Aadhaar's database could be "vulnerable to the same problems of ghost entries as any other government database."

A ToI report published a year ago said enrollment centers had resorted to unjust practices such as overcharging for an enrollment.

In the report applicants were charged fees as high as Rs 200 per for an enrollment. The UIDAI subsequently said it had blacklisted 49,000 operators.

An official response from the ministry or officials from UIDAI is is awaited on patch.

Twitter Reactions: