Software Patch Claimed To Allow Aadhaar's Security To Be Bypassed, Calling Into Question Biometric Database's Integrity
from the but-it's-ok,-we-already-blacklisted-the-50,000-rogue-operators-that-we-found dept
Earlier this year, we wrote about what seemed to be a fairly serious breach of security at the world's largest biometric database, India's Aadhaar. The Indian edition of Huffington Post now reports on what looks like an even more grave problem:
The authenticity of the data stored in India's controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.
According to the article, the patch can be bought for just Rs 2,500 (around $35). The easy-to-install software removes three critical security features of Aadhaar:
The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world -- say, Beijing, Karachi or Kabul -- can use the software to enrol users.
The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
As the Huffington Post article explains, creating a patch that is able to circumvent the main security features in this way was possible thanks to design choices made early on in the project. The unprecedented scale of the Aadhaar enrollment process -- so far around 1.2 billion people have been given an Aadhaar number and added to the database -- meant that a large number of private agencies and village-level computer kiosks were used for registration. Since connectivity was often poor, the main software was installed on local computers, rather than being run in the cloud. The patch can be used by anyone with local access to the computer system, and simply involves replacing a folder of Java libraries with versions lacking the security checks.
The Unique Identification Authority of India (UIDAI), the government body responsible for the Aadhaar project, has responded to the Huffington Post article, but in a rather odd way: as a Donald Trump-like stream of tweets. The Huffington Post points out: "[the UIDAI] has simply stated that its systems are completely secure without any supporting evidence." One of the Aadhaar tweets is as follows:
It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.
The need to throw 50,000 operators off the system hardly inspires confidence in its overall security. What makes things worse is that the Indian government seems determined to make Aadhaar indispensable for Indian citizens who want to deal with it in any way, and to encourage business to do the same. Given the continuing questions about Aadhaar's overall security and integrity, that seems unwise, to say the least.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: aadhaar, biometrics, breach, india, privacy, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Money causes they system to be sold...
...but no amount of money can fix the problems incurred.
As has been stated many times, here on Techdirt and elsewhere, biometrics is is username, not a password. When the system uses biometrics as the password, and the 'password' becomes compromised, how in the hell does one change it? Fingerprint, eye scan, even a DNA sample (not available yet but I bet someone is working on it $$$) it is not changeable when compromised.
Any entity that thinks biometrics is a reasonable way to allow access to anything needs to be investigated for their lack of thinking.
[ link to this | view in chronology ]
i wonder..
Couldnt we grab this data file and use all the data to create credit applications and SPEND all that credit??
[ link to this | view in chronology ]
Software Patchers Are TERRORIST PORN PIRATES
[ link to this | view in chronology ]
Re: Software Patchers Are TERRORIST PORN PIRATES
Care to elaborate on how you plan on preventing people from writing code?
Or what por has to do with github?
Does porn scare you? Do you stay up late nights thinking about porn?
[ link to this | view in chronology ]
Re: Re: Software Patchers Are TERRORIST PORN PIRATES
[ link to this | view in chronology ]
Re: Re: Re: Software Patchers Are TERRORIST PORN PIRATES
[ link to this | view in chronology ]
Fail to address one concern, only to raise another
It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.
With a system that valuable the fact that at least fifty thousand people who shouldn't have had access did they're hardly making it look better or more secure with that 'defense'.
In addition the very important next question would be, 'of that fifty thousand, how many were blacklisted before they had a chance to make off with valuable data?' Because if they weren't stopped at the door then blacklisting them would very much be a case of shutting the barn doors after the horses escaped. Sure they can't access it again... with the same information/address... but if they already got what they wanted then losing that access isn't exactly going to do any good.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The biometric cheerleaders will dismiss this as a nothing burger.
[ link to this | view in chronology ]