Your Worst Fears Are Realised: Aadhaar Has Been Hacked With A Rs 2,500 Software Patch
Aadhaar has been touted to be the most efficient identification system in the country by the government. As such, they¡¯ve also insisted its security is unbreakable, despite evidence to the contrary. Now, that statement has been proven to be false.
Aadhaar has been touted to be the most efficient identification system in the country by the government. As such, they¡¯ve also insisted its security is unbreakable, despite evidence to the contrary. Now, that statement has been concretely proven to be false.
According to HuffPost India, Aadhar has been breached by a simple patch for the enrollment software, one that¡¯s available for as little as the price of a domestic flight ticket. In a three-month-long investigation, the publication managed to get a hold of said patch and had it analysed by both Indian and foreign cybersecurity experts.
The judgement was unanimous: Aadhaar can been hacked.
A patch for the Aadhaar enrollment exists that can obtained for as little as Rs 2,500. It allows someone located anywhere in the world to generate a unique 12-digit Aadhaar number at will. It lets a user bypass the core security feature of biometric authentication (fingerprints) of operators, thus allowing someone to generate an unauthorised Aadhaar number freely. It also disables the software¡¯s GPS module, which is supposed to identify the physical location of an enrolment centre, thus allowing someone in another country to generate a fake ID. Lastly, it also tweaks and weakens the iris-recognition system in the software, making it easier to spoof with a photograph of the registered enrollment operator rather than needing them to be present.
Also Read: TRAI Head Posts His Aadhaar Online Challenging Hackers, They Quickly Leak His Email & Phone No.
As such the personal and biometric data of billions of Indians, your data, is now compromised. Not to mention of course the national security implications this raises. Even worse is that, in addition to the low price of the patch, it¡¯s pretty easily available simply by by joining one of the many WhatsApp groups where it is being sold. Once you have that, all you need to do is install the enrollment software and patch and you¡¯re good to go.
Basically, someone with their hands on this can¡¯t view data, but add any kind of data in the Central Repository Database, including addresses,mobile numbers, and bank details. Worse, the experts quoted in the piece say the exploit preys on design flaws incorporated during Aadhaar¡¯s inception. This was back in 2010 when the government, wanting to speed up enrollment, allowed private third-party agencies to conduct them as well. In addition, the platform designed for it was installed locally to computers around the country, as opposed to being conducted on UIDAI¡¯s servers for instance, which would have made it more secure.
Thanks to that, the hackers have simply taken code from older versions of the enrollment software (which had fewer security features) and grafted it onto the new version. That means fixing it would require a major redesign of the core system.
So far, both the National Critical Information Infrastructure Protection Centre (NCIIPC) and Unique Identification Authority of India (UIDAI) have refused to comment on the vulnerability, despite knowing about it since July, HuffPost India says. Supposedly, NCIIPC has received the patch as it requested from them, but not replied, while the UIDAI simply refused to respond to emails.
This news flies in the face of every assurance the government has made about the system¡¯s security. In addition, it also means Aadhaar is like every other government system, where multiple fake entries can be generated for a single person, allowing someone to potentially partake if government subsidies and services in your name.
Unfortunately, if the government decides to actually do something about this breach, it means you¡¯ll probably need to go down to a government enrollment sometime in the future to prove your identity.