- Aadhaar software can be hacked using a patch which allows to add new Aadhaar users.
- The patch disable critical security feature in Aadhaar enrolment software
- The software patch was discovered through a investigation conducted by the Huffpost India.
- The patch was analysed an verified by three internationally reputed experts, and two Indian analysts
- The patch was available for just Rs 2500.
The experts have discovered a software patch which can be used to disable critical security features of the software used to enrol new Aadhaar users.
According to the three-month investigation conducted by HuffPost, the patch is easily available for Rs 2,500 (around $35) can be used by attackers to compromise the Aadhaar database which contains biometrics and personal information of over 1 billion Indians.
“Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three-month-long investigation by HuffPost India reveals.”
The patch allows attackers to generate the unique 12 digit Aadhaar number from anywhere in the world and is still actively widespread in use.
It also disables the Aadhaar enrolment software built-in GPS security which is used to detect the physical location of every enrolment centre. This allows any person from anywhere in the world can use the software to enrol a new user.
The patch also reduces the sensitivity of the iris-recognition software in the system so that attacker can trick the system with a photograph of the registered user.
HuffPost said that the patch was analysed and verified by three internationally reputed experts, and two Indian analysts.
“Whomever created the patch was highly motivated to compromise Aadhaar, There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile,” said Gustaf Björksten, Chief Technologist at Access Now who was one of the researchers who analysed the patch.
In 2010 the government decided to let private agencies to enrol new users to Aadhaar and developed a standardised enrolment software called the Enrolment Client Multi-Platform (ECMP).
The software will be installed on each enrollment centre computer and putting the critical components of the Aadhaar system at risk.
The Aadhaar patch along with username and password required to log in to the UIDAI’s enrolment gateway is available for just Rs 2500.
The users are asked to make the payment through mobile wallets linked to the phone number which are destroyed immediately after the transaction is successful.
Installing the patch is as simple as the installing the enrollment software on a PC, and after that, they just need to change some java library files using cut and paste commands.
After the patch is installed the critical security features of Aadhaar enrollment software will be disabled such as users no longer needed to provide their fingerprint to authenticate and use the software.
The GPS function will be disabled, and sensitivity of the iris scanner will also be reduced. This also allows a single operator to login into multiple systems at the same time.
According to a former Aadhaar enrolment operator, the operators were only paid Rs 30 per enrollment, and many started using the patch to make more money. He also said he had not used the patch and but he had notified UIDAI CEO and others about the patch.
Björksten said that the patch had some files from the earlier version of the Aadhaar software which did not have much security features and also have made changes to remove other security features.
The researchers also said that the changes made are specific and targeted. The patch does not have access to read the database and can be used to add new information to the database.
This means attackers can use this patch to create a fake id or create multiple Aadhaar cards.
“If anybody is able to create an entry in the Aadhaar database, then potentially the the person can create multiple Aadhaar cards. Then the same person can siphon off rations of multiple people, Since there are fixed quotas for rations, this would mean that several genuine beneficiaries would be excluded,” said Rajendran Narayanan, Assistant Professor, Azim Premji University, Bengaluru through HuffPost.
HuffPost said they had notified NCIIPC (National Critical Information Infrastructure Protection Centre) the nodal agency which is responsible for Aadhaar security many times this year since June.
NCIIPC responded by requesting a copy of the patch and which was provided by HuffPost immediately.
However, the NCIIPC declined to share its findings finding, and UIDAI also refused to respond.
The experts said via by HuffPost India that “The vulnerability is intrinsic to a technology choice made at the inception of the Aadhaar programme, which means that fixing it and other future threats would require altering Aadhaar’s fundamental structure.”
You may be interested in reading: Schneider Electric Shipped out Malware Containing USB Drives