Skilled hackers disabled security features of Aadhaar enrolment software, circulated hack on Whatsapp
NEW DELHI—The authenticity of the data stored in India’s controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.
The patch—freely available for as little as Rs 2,500 (around $35)— allows unauthorised persons, based anywhere in the world, to generate Aadhaar numbers at will, and is still in widespread use.
Skilled hackers have disabled the security features of Aadhaar enrollment software and even circulated hack on Whatsapp, said the report.
Ironically, a ‘Patch’ is defined as a set of changes to a computer program or its supporting data designed to update, fix, or improve it. However in case of Aadhaar, the culprit patch allegedly hacked the whole system putting the database of over 1 billion citizens at stake and in more worst scenario about same numer of bank accounts as well is also in serious threat.
This comes within few after a petition was filed against UIDAI as well as the central government of India alleging that the fundamental right to privacy of all Indians with an Aadhaar card has been violated because of Aadhaar data breaches that occurred on numerous occasion.
The hack, which indeed has significant implications for India’s national security, comes at time when when the Indian government has sought to make Aadhaar numbers the gold standard for citizen identification, and mandatory for everything from using a mobile phone to accessing a bank account.
This has significant implications for national security at a time when the Indian government has sought to make Aadhaar numbers the gold standard for citizen identification, and mandatory for everything from using a mobile phone to accessing a bank account.
A patch is a bundle of code used to alter the functionality of a software programme. Companies often use patches for minor updates to existing programmes, but they can also be used for harm by introducing a vulnerability—as in this case.
HuffPost India is in possession of the patch, and had it analysed by three internationally reputed experts, and two Indian analysts (one of whom sought anonymity as he works at a state-funded university), to find that:
- The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
- The patch disables the enrolment software’s in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.
- The patch reduces the sensitivity of the enrolment software’s iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
The experts consulted by HuffPost India said…