Aadhaar: Patch Selling for Rs2,500 Allows Record Manipulation and Generation of UID at Will, Says Report
Moneylife Digital Team 11 September 2018
A software patch, freely available for as little as Rs2,500, allows unauthorised persons, based anywhere in the world, to generate Aadhaar numbers at will, and is still in widespread use, says a report from HuffPost India
 
A three month-long investigation by HuffPost India reveals that authenticity of data stored in the controversial Aadhaar identity database, which contains biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users.  
 
In the report, Rachna Khaira, Aman Sethi and Gopal Sathe, say, HuffPost India is in possession of the patch. It was analysed by three internationally reputed experts, and two Indian analysts, one of whom sought anonymity as he works at a state-funded university. The experts, after analysing the patch, confirmed that Unique Identification Authority of India (UIDAI)’s Aadhaar software is hacked and ID database is compromised. 
 
The experts said that the vulnerability is intrinsic to a technology choice made at the inception of the Aadhaar programme, which means that fixing it and other future threats would require altering Aadhaar's fundamental structure. 
 
"Whomever created the patch was highly motivated to compromise Aadhaar," said Gustaf Björksten, Chief Technologist at Access Now, a global technology policy and advocacy group, and one of the experts who analysed the patch at HuffPost India's request.
 
"There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile," Björksten said. "To have any hope of securing Aadhaar, the system design would have to be radically changed."
 
Bengaluru-based cyber security analyst and software developer Anand Venkatanarayanan, who also analysed the software for HuffPost India and shared his findings with the National Critical Information Infrastructure Protection Centre (NCIIPC), told the portal that the patch was assembled by grafting code from older versions of the Aadhaar enrolment software—which had fewer security features— on to newer versions of the software.
 
NCIIPC, is the nodal agency responsible for Aadhaar security.
 
Venkatanarayanan's findings were confirmed by Dan Wallach, professor of computer science, and electrical and computer engineering, at Rice University in Houston, Texas.
 

“Having looked at the patch code and the report presented by Anand, I feel pretty comfortable saying that the report is correct, and it could allow someone to circumvent security measures in the Aadhaar software, and create new entries. This is pretty feasible, and looks like something that would be possible to engineer,” Wallach told HuffPost India. Continue Reading..

Comments
Sesadri Chatterjee
4 years ago
What about claiming to withdraw Employee PF from PF Account? Does it need to provide OTP from adhaar registered mobile number?
Suresh Deshmukh
4 years ago
UIDAI has already refuted thus very strongly!
Free Helpline
Legal Credit
Feedback