UIDAI’s Aadhaar Software Hack, ID Database Agreement, Experts Confirm
NEW DELHI—Authenticity of the data stored in India's controversial base identification database, which includes biometrics and personal information of more than 1 billion Indians, has been compromised by a software patch that is intended to be used to nominate new base users.
Patch-free is available for free for Rs 2,500 (about $ 35) - allows unauthorized individuals to generate Aadhaar numbers anywhere in the world, and is still in widespread use.
There is a significant impact on national security at this time when the Government of India has demanded the formation of a golden standard for citizen identity, and it is mandatory for everything from using mobile phones to reach bank account.
There is a bundle of code used to replace the functionality of a patch software program. Companies often use patches for minor updates for existing programs, but in these cases a vulnerability can be used and also used for damages.
"Whomever created the patch was highly motivated to compromise Aadhaar," said Gustaf Björksten, Chief Technologist at Access Now, a global technology policy and advocacy group, and one of the experts who analysed the patch at HuffPost India's request.
"There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile," Björksten said. "To have any hope of securing Aadhaar, the system design would have to be radically changed."
Bengaluru-based cyber security analyst and software developer Anand Venkatanarayanan, who also analysed the software for HuffPost India and shared his findings with the NCIIPC government authority, said the patch was assembled by grafting code from older versions of the Aadhaar enrolment software—which had fewer security features— on to newer versions of the software.
NCIIPC, or National Critical Information Infrastructure Protection Centre, is the nodal agency responsible for Aadhaar security.
"Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer," Wallach said.