NEW DELHI―The authenticity of the data stored in India's controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.
The patch―freely available for as little as Rs 2,500 (around $35)― allows unauthorised persons, based anywhere in the world, to generateAadhaar numbers at will, and is still in widespread use.
This has significant implications for national security at a time when the Indian government has sought to make Aadhaar numbers the gold standard for citizen identification, and mandatory for everything from using a mobile phone to accessing a bank account.
A patch is a bundle of code used to alter the functionality of a software programme. Companies often use patches for minor updates to existing programmes, but they can also be used for harm by introducing a vulnerability―as in this case.
HuffPost India is in possession of the patch, and had it analysed by three internationally reputed experts, and two Indian analysts (one of whom sought anonymity as he works at a state-funded university), to find that:
The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world ― say, Beijing, Karachi or Kabul ― can use the software to enrol users.
The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
The experts consulted by HuffPost India said that the vulnerability is intrinsic to a technology choice made at the inception of the Aadhaar programme, which means that fixing it and other future threats would require altering Aadhaar's fundamental structure.
"Whomever created the patch was highly motivated to compromise Aadhaar," said Gustaf Bjrksten, Chief Technologist at Access Now, a global technology policy and advocacy group, and one of the experts who analysed the patch at HuffPost India 's request.
"There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile," Bjrksten said. "To have any hope of securing Aadhaar, the system design would have to be radically changed."
Bengaluru-based cyber security analyst and software developer Anand Venkatanarayanan, who also analysed the software for HuffPost India and shared his findings with the NCIIPC government authority, said the patch was assembled by grafting code from older versions of the Aadhaar enrolment software―which had fewer security features― on to newer versions of the software.
NCIIPC, or National Critical Information Infrastructure Protection Centre, is the nodal agency responsible for Aadhaar security.
Venkatanarayanan's findings were confirmed by Dan Wallach, Professor of Computer Science, and Electrical and Computer Engineering, at Rice University in Houston, Texas.
"Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer," Wallach said.
MINT VIA GETTY IMAGES
The hack reduces the sensitivity of the iris-recognition system in the UIDAI's Aadhaar enrolment software
Indian authorities have declined comment, despite HuffPost India reaching out to both NCIIPC and the Unique Identification Authority of India (UIDAI) on more than one occasion since July this year.
While NCIIPC requested a copy of the patch, which HuffPost India provided in the same month, the agency has declined to share its findings. UIDAI did not respond to HuffPost India 's mails.
A SERIES OF PRAGMATIC CHOICESThe genesis of the current hack lies in a decision, made in 2010, to let private agencies enrol users to the Aadhaar system in order to speed up enrolments. That year, Mindtree, a Bengaluru-based company, won a contract to develop an official, standardised enrolment software ― called the Enrolment Client Multi-Platform (ECMP)― that would be installed onto the thousands of computers maintained by these private operators.
Apart from private enrolment agencies, the UIDAI also signed enrolment agreements with "common service centres" ― village-level computer kiosks that help citizens access common e-governance services such as pensions, student scholarships etc. By February 2018, these centres were responsible for enrolling 180 million Indians.
ALSO READ: This Uzbek National Was Arrested Last Year With An Aadhaar Card Believed To Be Forged. It's Still Valid On The UIDAI Website
This decision to install the software on each enrolment computer, said cyber security expert Bjrksten, "puts the running of critical components of Aadhaar in the hands of the enemies of the system".
A more secure choice would have been a web-based system in which all software would be installed on the UIDAI's own servers and enrolment operators would have a user name and password to access the system.
(A useful analogy is the difference between Microsoft Word ― which is installed on computers ― and web-based Google Docs, which is hosted online by Google, and users simply log on to use the service.)
B. Regunath, a software architect who led the team at Mindtree that worked on the project, said a web-based enrolment software for Aadhaar was not practical at the time because many parts of the country had very poor Internet connectivity.
"People were cranking up generators just to light up power and do the enrolment. How can they do an online upload of those packets?" asked Regunath, who has since moved to a senior technical position at Flipkart.
"We launched and issued the first Aadhaar card just three months after being selected," Regunath said, recalling that the launch was done urgently to meet a publicly announced deadline, without all the software features in place.
To compensate for handing effective control of the enrolment process to thousands of operators scattered across the country, Regunath's team added security features to the software ― most prominently, a feature that required all operators to log in to the software by first providing their own fingerprint or iris scan. Any laptop being used had to first be registered with the UIDAI as well.
"We added a feature to check if the operator is certified, fixed people meddling with the system, we added a feature to check if the enrolm