wordpress blog stats
Connect with us

Hi, what are you looking for?

, , , ,

Cracked Aadhaar enrollment and updation software for sale on the black market: Report


By Vidyut Kale and Nikhil Pahwa

Software that is used to enroll individuals for Aadhaar, or update their information has been hacked and is being sold for Rs 500-2000, Asia Times reports.

Aadhaar enrollment operators use a software provided by the UIDAI, called ECMP (Enrollment Client Multi Platform), to collect or update an individuals information in the Aadhaar database. The UIDAI has claimed in the Supreme Court that it is extremely secure, to the point that not even the enrollment operators have access to the biometrics collected by the software.

The Asia Times report highlights the following issues, about how the softwares security measures have been bypassed, which it has confirmed with two unnamed cyber security experts:

  • Operator biometrics bypassed: The software uses the Aadhaar operator’s biometrics to grant them access to perform enrollments or updation. Asia Times reports that the cracked software comes preconfigured with valid biometrics and user credentials of authorized operators. This means that unauthorised entities can enroll anyone they want, and edit data for those, whose fingerprints they have gotten copies of.
  • Geolocation identification bypassed: The software uses GPS co-ordinates to check the location of the enrollment, to ensure that it is being done at a secure and mandated location. The cracked software is, as per the story, patched to disable the GPS module. This means that people can be enrolled anywhere, using this software.

The core issue here is that given that the enrollment process has been compromised, and there are no means of checking the accuracy and the efficacy of the Aadhaar data, the data in the Aadhaar database is thus likely to be unreliable. More on that here.

WhatsApp groups of former Aadhaar operators have this software for sale for as little as Rs. 500 to 2000 a copy. Note that contracts of private Aadhaar operators, which the UIDAI had recruited, and who had invested significantly in the business, were terminated earlier this year. UIDAI did not have proper mechanisms to handle the misuse of the access. Instead of private enrollment operators, the UIDAI has now delegated the task to banks and post offices. That process has been slow to take off: the need for enrolment or updation appears to have outstripped the available legitimate. The mandatory requirement of Aadhaar to access an increasing number of essential services and schemes is likely to create a market for “agents” to get it done.

Advertisement. Scroll to continue reading.

Nothing new from UIDAI

It also appears that the UIDAI has ignored complaints about the sale of this illegal software. According to the Asia Times report, an operator from Punjab, Bharat Bhushan Gupta, had alerted the UIDAI by email. The emails were acknowledged, but there has apparently been no response since. A journalist in Punjab found the cracked software and alerted the UIDAI and also received an acknowledgment, but there was apparently no further action. The NCIIPC also alerted the UIDAI about this breach, it appears, from the questions at the end of the Asia Times article.

In the past, the UIDAI has filed police complaints against journalists and researchers reporting such issues: It had filed an FIR against the Tribune and its journalist Rachna Khaira for illegal access to the Aadhaar database being sold for Rs 500. Khaira’s informant (also an ex-enrolment operator) was not taken seriously when he had reported sale of access to the database being sold on Whatsapp groups.

Other instances of Aadhaar database being accessed illegally


Questions about the UIDAI’s claims

With this latest report of UIDAI’s enrolment software being cracked, as well as its ongoing claims about security, we’d like to repeat some questions about UIDAI’s claims.

  1. Can the UIDAI’s biometric database be considered uncompromised if the entries in it have been proven to be compromisable over and over?
  2. The UIDAI has asked for vulnerabilities to be reported – loud and clear in the Supreme Court. So:
    1. Where to report them?
    2. What has it done with those reported so far?
    3. How can it deny vulnerabilities being reported when countless instances of vulnerabilities being reported are in the public domain and indeed those reporting them are facing legal action from the UIDAI?
  3. The UIDAI claims that it can trace misuse. Have the people who provided the patched software in the Kanpur Aadhaar Enrolment scam been arrested?
  4. Have the people who sold the bank official’s biometrics on the black market to allow unauthorized access to the Aadhaar database been arrested?
  5. Have the people who sold the unauthorized login access to Aadhaar database been identified and arrested?
  6. Have the entries and updates made by the people who purchased such unauthorized access on the black market been identified and reverted?
  7. Does the UIDAI have any means to identify letigimate updates to the Aadhaar database and those made by miusing credentials of authorized operators?
  8. Have the Aadhaar numbers made or updated through misuse been identified and cancelled or reverted?
  9. How is Aadhaar safe if the exploits are mounting?
  10. What remains to be compromised that forms the basis of UIDAI’s claim that Aadhaar is secure?

Written By

Vidyut is a commentator on socio-political issues with a keen interest in behavioral sciences, digital rights and security and manages to engage her various proficiencies to bring an unusual perspective to issues related with the intersection of tech and people.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ