Major security breach: Aadhaar software and user-database hacked
Ever since its inception, Aadhaar has faced one security issue after another. Now, after a three-month-long investigation, HuffPost India has found another security breach, and this one has explosive implications. The publication found that an easily and cheaply available patch could be used to bypass Aadhaar's enrolment security checks, thereby potentially allowing anyone to generate an Aadhaar number. Here are finer details.
HuffPost's findings have been confirmed by international experts
HuffPost India found a patch, available for as little as Rs. 2,500, that could be used to circumvent security checks for Aadhaar enrolment. Notably, the publication had the patch analyzed by three internationally renowned security experts, who confirmed that it could be used to circumvent the system. The result? Unauthorized people, based anywhere in the world, can use the patch to generate Aadhaar numbers.
How the patch dilutes Aadhaar enrolment software's security checks
The dilution of security features comes in three forms. First, the patch eliminates the need for Aadhaar enrolment operators to verify their identities using their biometrics. Second, the patch disables the Aadhaar enrolment software's in-built GPS, allowing anyone in the world to generate IDs. Third, it reduces the software's iris-recognition system's sensitivity, thereby allowing malicious actors to fool the system using high-resolution photographs.
The patch is easily available and in widespread use
HuffPost further found that the patch, along with usernames and passwords required to login to the UIDAI's enrolment gateway, were sold for as little as Rs. 2,500 on thousands of WhatsApp groups. The publication also noted that the patch is still in widespread use, and many unauthorized enrolment operators currently use it to make some extra cash.
The problem originates from decisions taken in 2010
However, it's worth noting that the genesis of the problem lies in decisions taken back in 2010, which allowed private actors and common service centres (CSCs) to enrol users to the Aadhaar system. Owing to the lack of good internet connectivity, the UIDAI allowed Aadhaar enrolment software to be installed on each enrolment computer, which allowed malicious actors access to critical components of Aadhaar.
End-point access to private actors resulted in the vulnerability
"Many cyber hacks happen on account of endpoint vulnerabilities. And by opening up the national identity database to private actors for easy on-boarding, the powers that be have exponentially heightened security threats," said Anand Padmabhan from the Centre of Policy Research.
A web-based service would have been more secure
A more secure choice, experts say, would have been a web-based system wherein the enrolment software would be installed on UIDAI's own servers, and enrolment agents would be given access via a username and password (for instance, like Google Docs is hosted on the web). However, the UIDAI did not have that option back then owing to poor internet connectivity in rural areas.
The identity of the hacker(s) remains unknown
The next question, obviously, is who did it. Well, while no person or organization has been identified yet, experts say that the patch was sophisticated, indicating well-trained adversaries. Additionally, the "straightforward, business-like, and utilitarian hack" was precise and targeted, and experts think it's likely to be the work of several coders, rather than one. Beyond that, not many details are known as of now.
Possibility of ghost entries negates the purpose of Aadhaar
Another odd feature of the hack is that, instead of seeking access to information (which is normally the case), the patch allows information to be on-boarded to the Aadhaar database. This, experts believe, creates a new host of problems for the UIDAI as it compromises the integrity of the entire system and makes it vulnerable to ghost entries, thereby negating Aadhaar's entire purpose.
