Yet another Aadhaar breach. Yet another UIDAI denial that misses the point entirely.

There is yet another report of Aadhaar’s ECMP software being patched to bypass security by replacing parts of its code with insecure versions of code from previous versions, reports Huffington Post.

Do read the full article, but the TL;DR is: The patched version of the software developed by Mindtree is available on WhatsApp groups for as little as Rs.2,500/- along with operator information for login allowing anyone who buys it to create or update Aadhaar numbers.

We have seen this film before. Often.

There have long been detailed videos of how UIDAI’s much boasted security features for the softwares can be bypassed.

The hack

This hack removes the geolocation constraints, so that anyone, anywhere in the world can add to or update the Aadhaar database. Additionally, it downgrades the strictness of the iris scan for operator login so that a photograph of the operator can be used instead of the operator having to be present in person. Fingerprint copies have long been shown to work on scanners.

The implications

This hack blows the UIDAI’s claims of security wide open. Huffington Post obtained a copy of the patch and had several experts verify it. The article contains interesting details about the patch itself (that it was probably the result of the work of several coders, it works by replacing code with earlier versions, etc).

What is abundantly clear is that this hack renders the credibility of the Aadhaar database meaningless, when anyone, anywhere in the world – including terrorists sitting in Pakistan Occupied Kashmir, every spy organization in the world and darkweb hackers can easily create or update Aadhaar numbers.

These Aadhaar numbers are now being promoted as the sole required identification. Effectively, it means that this hack renders identification itself meaningless in India.

UIDAI response

The usual. They haven’t actually addressed any aspect of the security report, also as usual, and this author no longer has patience for whatever platitudes and hollow claims they have repeated to sound like they are responding to the report without actually doing so.

Vidyut is a commentator on socio-political issues with a keen understanding of tech and policy. She has been observing and commenting on Aadhaar since 2010 from a perspective of human rights, democracy and technological robustness.

Leave a Reply

Your email address will not be published. Required fields are marked *