UIDAI’s Aadhaar Software Hacked, ID Database Compromised, Experts Confirm

Rachna Khaira
An operator works on his table while enrolling villagers for the Unique Identification (UID) database system at an enrolment centre in Rajasthan.

NEW DELHI—The authenticity of the data stored in India's controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.

The patch—freely available for as little as Rs 2,500 (around $35)— allows unauthorised persons, based anywhere in the world, to generate Aadhaar numbers at will, and is still in widespread use.

This has significant implications for national security at a time when the Indian government has sought to make Aadhaar numbers the gold standard for citizen identification, and mandatory for everything from using a mobile phone to accessing a bank account.

A patch is a bundle of code used to alter the functionality of a software programme. Companies often use patches for minor updates to existing programmes, but they can also be used for harm by introducing a vulnerability—as in this case.

HuffPost India is in possession of the patch, and had it analysed by three internationally reputed experts, and two Indian analysts (one of whom sought anonymity as he works at a state-funded university), to find that:

  • The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.

  • The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.

  • The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.

The experts consulted by HuffPost India said...

Continue reading on HuffPost