UIDAI Aadhaar Software Hacked, Patch Used For Hacking Sold For Rs 2500, Unauthorised Persons Added To Database
This clearly contradicts the claims made by Modi govt at the time of making Aadhaar compulsory--reducing corruption, tracking black money, eliminating fraud and identity theft.
The software used by Unique Identification Authority of India (UIDAI) to enrol new Aadhaar users, washacked using a software ‘patch’ which disabled critical security features of the system.
According to a Huffington Post , hackers used a patch, which is easily available for a mere Rs 2,500, to make new Aadhaar cards for unauthorised persons around the world. The patch is still valid and in widespread use, at the time of writing this report.
The patch disables several security features, including the inbuilt GPS system and bypasses the need for authentication of the person enrolling for Aadhaar. It also weakens the sensitivity of the iris recognition feature in the software, thereby enabling anyone to use a photograph for the scan instead of having to be present in front of the authorised operator.
“Whomever created the patch was highly motivated to compromise Aadhaar,” said Gustaf Björksten, Chief Technologist at Access Now, an expert consulted by HuffPost.
He added, “There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile. To have any hope of securing Aadhaar, the system design would have to be radically changed.”
Anand Venkatanarayanan, a Bengaluru-based cyber security analyst, said it was possible to create such a patch with the older version of Aadhaar software which had fewer security layers.
Another international analyst Dan Wallach, confirmed Venkatanarayanan’s findings. “Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer,” Wallach said.
The patch can be installed on a computer just like any other software. After that, using it to hack into the Aadhaar system is described being as easy as “cut and paste.” The usernames and passwords that are required to log in to Aadhaar system are sold at merely Rs 2,500.
Security analysts Björksten and Venkatanarayanan say that the hacking done through this patch represents the work of sophisticated well-trained adversaries, as much investment in time and resources has been made.
Björksten said, “I get the sense that the patch does just the minimum needed. The programmers have cut corners by utilising previous versions of the Aadhaar code. This is a straightforward, business-like, and utilitarian hack.”
“This patch has been created to be used, not just for the purpose of security research, or to highlight the security problems with the Aadhaar system.” he added.
Venkatanarayanan said, “They have used some of the files from earlier versions of the Aadhaar software, which did not have these security features, and they have also made changes that remove other security checks.”
According to HuffPost investigation, the patch doesn’t allow the hackers to access existing information but the only motive behind the patch, seems to add new unauthorised users to the database.
This clearly contradicts the claims made by the Narendra Modi government at the time of making Aadhaar compulsory–reducing corruption, tracking black money, eliminating fraud and identity theft.
Rajendran Narayanan, Assistant Professor, Azim Premji University, Bengaluru, told Huffpost, “If anybody is able to create an entry in the Aadhaar database, then potentially the the person can create multiple Aadhaar cards. Then the same person can siphon off rations of multiple people. Since there are fixed quotas for rations, this would mean that several genuine beneficiaries would be excluded.”
The Narendra Modi government has repeatedly that the Aadhaar system cannot be hacked. At one point, RS Sharma, chairman of the Telecom Regulatory Authority of India (TRAI), his Aadhaar number on Twitter and challenged the hackers to obtain his personal information using Aadhar.
However, such security lapses prove that Aadhaar system is vulnerable. It is high time that the government and UIDAI pull up its socks and address the issue of Aadhaar security.