By Vidyut Kale and Nikhil Pahwa

Software that is used to enroll individuals for Aadhaar, or update their information has been hacked and is being sold for Rs 500-2000, Asia Times reports.

Aadhaar enrollment operators use a software provided by the UIDAI, called ECMP (Enrollment Client Multi Platform), to collect or update an individuals information in the Aadhaar database. The UIDAI has claimed in the Supreme Court that it is extremely secure, to the point that not even the enrollment operators have access to the biometrics collected by the software.

The Asia Times report highlights the following issues, about how the softwares security measures have been bypassed, which it has confirmed with two unnamed cyber security experts:

  • Operator biometrics bypassed: The software uses the Aadhaar operator’s biometrics to grant them access to perform enrollments or updation. Asia Times reports that the cracked software comes preconfigured with valid biometrics and user credentials of authorized operators. This means that unauthorised entities can enroll anyone they want, and edit data for those, whose fingerprints they have gotten copies of.
  • Geolocation identification bypassed: The software uses GPS co-ordinates to check the location of the enrollment, to ensure that it is being done at a secure and mandated location. The cracked software is, as per the story, patched to disable the GPS module. This means that people can be enrolled anywhere, using this software.

The core issue here is that given that the enrollment process has been compromised, and there are no means of checking the accuracy and the efficacy of the Aadhaar data, the data in the Aadhaar database is thus likely to be unreliable. More on that here.

WhatsApp groups of former Aadhaar operators have this software for sale for as little as Rs. 500 to 2000 a copy. Note that contracts of private Aadhaar operators, which the UIDAI had recruited, and who had invested significantly in the business, were terminated earlier this year. UIDAI did not have proper mechanisms to handle the misuse of the access. Instead of private enrollment operators, the UIDAI has now delegated the task to banks and post offices. That process has been slow to take off: the need for enrolment or updation appears to have outstripped the available legitimate. The mandatory requirement of Aadhaar to access an increasing number of essential services and schemes is likely to create a market for “agents” to get it done.

Nothing new from UIDAI

It also appears that the UIDAI has ignored complaints about the sale of this illegal software. According to the Asia Times report, an operator from Punjab, Bharat Bhushan Gupta, had alerted the UIDAI by email. The emails were acknowledged, but there has apparently been no response since. A journalist in Punjab found the cracked software and alerted the UIDAI and also received an acknowledgment, but there was apparently no further action. The NCIIPC also alerted the UIDAI about this breach, it appears, from the questions at the end of the Asia Times article.

In the past, the UIDAI has filed police complaints against journalists and researchers reporting such issues: It had filed an FIR against the Tribune and its journalist Rachna Khaira for illegal access to the Aadhaar database being sold for Rs 500. Khaira’s informant (also an ex-enrolment operator) was not taken seriously when he had reported sale of access to the database being sold on Whatsapp groups.

Other instances of Aadhaar database being accessed illegally

 

Questions about the UIDAI’s claims

With this latest report of UIDAI’s enrolment software being cracked, as well as its ongoing claims about security, we’d like to repeat some questions about UIDAI’s claims.

  1. Can the UIDAI’s biometric database be considered uncompromised if the entries in it have been proven to be compromisable over and over?
  2. The UIDAI has asked for vulnerabilities to be reported – loud and clear in the Supreme Court. So:
    1. Where to report them?
    2. What has it done with those reported so far?
    3. How can it deny vulnerabilities being reported when countless instances of vulnerabilities being reported are in the public domain and indeed those reporting them are facing legal action from the UIDAI?
  3. The UIDAI claims that it can trace misuse. Have the people who provided the patched software in the Kanpur Aadhaar Enrolment scam been arrested?
  4. Have the people who sold the bank official’s biometrics on the black market to allow unauthorized access to the Aadhaar database been arrested?
  5. Have the people who sold the unauthorized login access to Aadhaar database been identified and arrested?
  6. Have the entries and updates made by the people who purchased such unauthorized access on the black market been identified and reverted?
  7. Does the UIDAI have any means to identify letigimate updates to the Aadhaar database and those made by miusing credentials of authorized operators?
  8. Have the Aadhaar numbers made or updated through misuse been identified and cancelled or reverted?
  9. How is Aadhaar safe if the exploits are mounting?
  10. What remains to be compromised that forms the basis of UIDAI’s claim that Aadhaar is secure?