Access to India's Aadhaar unique identity enrollment software is unrestricted to anyone for as much as $35 - the price of a debilitating patch for important security features.
Aadhaar is probably the world's largest identification system that contains biometric data such as iris scans and fingerprints, along with personal information (name, address, phone number) of Indian citizens.
The 12-digit unique identification numbers generated upon registration into the Aadhaar database are required when individuals want to get food rations, to get a mobile phone or a bank account. Currently, there are over one billion people enrolled.
To speed up the enrollment process, the Unique Identification Authority of India (UIDAI) that oversees Aadhaar initially signed agreements with multiple parties (private agencies, common service centers) and authorized them to use an enrollment software platform (ECMP) that could be installed on their computers.
Because of reports of registration fraud, UIDAI later decided to allow only public sector banks and post offices to use the software.
Logging into the ECMP requires a username and password from the authorized Aadhaar enrollment agent as well as biometric authentication like their fingerprint or iris scan.
Computers authorized by UIDAI to run the ECMP (Enrolment Client Multi-Platform) are equipped with GPS systems that make sure they operate in official enrollment locations.
The initial exposure of the software to large number of operators created an opportunity for individuals that wanted illegal access to the database to analyze it and develop solutions to circumvent the login stage and GPS tracking.
An investigation from HuffPost India reveals that a software patch that weakens some security features and disables others has been available to groups of former operators since early 2017, allegedly allowing anyone in the world to add entries into Aadhaar.
The patch, a Java Archive (JAR), is so common that some individuals advertise it on Youtube for a quick buck. The video below shows that after stitching in the JAR file, the Aadhaar Enrolment Client disables fingerprint authentication at login:
The code that debilitates the client's security measures disables GPS tracking and fingerprint control and reduces the sensitivity of the iris scanner so that it permits logging in with a picture of the authorized operator.
Login credentials are still needed to access the database, but these are available for as little as $35, the publication says. The sellers also provide the necessary registration details of authorized operators.
Experts that reviewed the patch for HuffPost India said that it was the work of "sophisticated well-trained adversaries" with the clear goal of introducing information into the database.
The database requires biometric data from the enrollee, but spoofing fingerprints is possible and even iris scanning can be fooled with high-class cosmetic contact lenses, although this may not be for long as new detection techniques are emerging. As you can imagine, this opens the door wide open for identity theft and fraud.
According to security analyst and software developer Anand Venkatanarayanan, the patch included code from earlier revisions of the program, which were less secure.
His findings were confirmed by Dan Wallach, Professor of Computer Science, and Electrical and Computer Engineering, at Rice University in Houston, Texas.
The government authority rejected the evidence brought by the publication quoting three international security experts and two national analysts.
In a thread on Twitter, UIDAI defended the security in the Aadhaar client saying that the registration requires all 10 fingerprints and both iris scans from the resident. To eliminate the risk of duplicates, UIDAI says that the software compares the new data with that of all Aadhaar holders before issuing the identification number.
The government authority added that all requests for enrollment or updates are "processed only after biometrics of the operator is authenticated and resident’s biometrics is de-duplicated at the backend of UIDAI system."
#PressStatement— Aadhaar (@UIDAI) September 11, 2018
UIDAI hereby dismisses a news report appearing in social and online media about Aadhaar Enrolment Software being allegedly hacked as completely incorrect and irresponsible. 1/n
HuffPost's report of the Aadhaar client jailbreak is not new. In May, Asia Times published their investigation on the same topic, confirming the availability of the illegal patch and its functionality.
Even if the verification process prevents adding unauthorized entries in Aadhaar, it would not stop illegal updates of non-biometric details. An expert talking to Asia Times said that the biometric check bypass "allows anyone to update their proof of identity or address details without any checks whatsoever."
Using the enrollment client without authorization is not unheard of as multiple individuals have been arrested in the past year and a half because they were illegally accessing the database and updating it with new entries.