Code Hack Allows for Creation of Fraudulent Aadhaar Identities, Report Alleges

“Responding to the report today, the UIDAI issued a statement in which it reaffirmed that each Aadhaar identity is linked to 10 unique fingerprints and a pair of irises, and that these biometrics are checked against the entire Aadhaar database for duplicate entries, so it is therefore ‘not possible’ to create fraudulent entries in the database.”

A serious security vulnerability in Aadhaar means the biometric national ID program is fundamentally flawed, according to a damning new Huffington Post report.Code Hack Allows for Creation of Fraudulent Aadhaar Identities, Report Alleges

The issue revolves around a certain patch – that is, a bundle of code that can be implemented on top of existing software – that can be easily obtained from the black market via WhatsApp. Essentially, the patch disables key security protocols in software designed to enroll individuals into Aadhaar, allowing just about anybody to create fraudulent Aadhaar identities.

The patch indirectly resulted from government authorities’ rushed efforts to implement Aadhaar. Early in the program’s development, the Unique Identification Authority of India, which administrates Aadhaar, decided to allow private agencies and village service centers to enroll citizens into the program as a means of speeding up its expansion across the country. Officials built certain safeguards into the enrollment software, such as a GPS feature designed to track where a given enrollment was processed, and a login system requiring operators to provide their own biometric credentials in the form of a fingerprint or iris scan.

The patch bypasses those safeguards, allowing administrators to access the enrollment system and to create new and potentially fake Aadhaar identities.

Security researchers consulted in the Huffington Post’s article say that the patch appears to be the product of experts who have invested considerable resources into its creation, suggesting it could be the product of criminal organizations. WhatsApp groups selling the patch ask buyers to transfer money to mobile wallets, whose corresponding phone numbers are quickly deactivated, according to the report.

The UIDAI has faced a number of scandals in recent years pertaining to security breaches and its seemingly haphazard approach to administrating and upgrading the Aadhaar database, but this is perhaps the most serious indictment of the program’s security to date. Responding to the report today, the UIDAI issued a statement in which it reaffirmed that each Aadhaar identity is linked to 10 unique fingerprints and a pair of irises, and that these biometrics are checked against the entire Aadhaar database for duplicate entries, so it is therefore “not possible” to create fraudulent entries in the database.

The UIDAI also lobbed an accusation of its own, asserting that “certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted.”

Sources: Huffington Post, The Economic Times

September 11, 2018 – by Alex Perala