Software Patch Claimed To Allow Aadhaar's Security To Be Bypassed, Calling Into Question Biometric Database's Integrity

from the but-it's-ok,-we-already-blacklisted-the-50,000-rogue-operators-that-we-found dept

Earlier this year, we wrote about what seemed to be a fairly serious breach of security at the world's largest biometric database, India's Aadhaar. The Indian edition of Huffington Post now reports on what looks like an even more grave problem:

The authenticity of the data stored in India's controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.

According to the article, the patch can be bought for just Rs 2,500 (around $35). The easy-to-install software removes three critical security features of Aadhaar:

The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.

The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world -- say, Beijing, Karachi or Kabul -- can use the software to enrol users.

The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.

As the Huffington Post article explains, creating a patch that is able to circumvent the main security features in this way was possible thanks to design choices made early on in the project. The unprecedented scale of the Aadhaar enrollment process -- so far around 1.2 billion people have been given an Aadhaar number and added to the database -- meant that a large number of private agencies and village-level computer kiosks were used for registration. Since connectivity was often poor, the main software was installed on local computers, rather than being run in the cloud. The patch can be used by anyone with local access to the computer system, and simply involves replacing a folder of Java libraries with versions lacking the security checks.

The Unique Identification Authority of India (UIDAI), the government body responsible for the Aadhaar project, has responded to the Huffington Post article, but in a rather odd way: as a Donald Trump-like stream of tweets. The Huffington Post points out: "[the UIDAI] has simply stated that its systems are completely secure without any supporting evidence." One of the Aadhaar tweets is as follows:

It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.

The need to throw 50,000 operators off the system hardly inspires confidence in its overall security. What makes things worse is that the Indian government seems determined to make Aadhaar indispensable for Indian citizens who want to deal with it in any way, and to encourage business to do the same. Given the continuing questions about Aadhaar's overall security and integrity, that seems unwise, to say the least.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: aadhaar, biometrics, breach, india, privacy, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Anonymous Anonymous Coward (profile), 17 Sep 2018 @ 6:45pm

    Money causes they system to be sold...

    ...but no amount of money can fix the problems incurred.

    As has been stated many times, here on Techdirt and elsewhere, biometrics is is username, not a password. When the system uses biometrics as the password, and the 'password' becomes compromised, how in the hell does one change it? Fingerprint, eye scan, even a DNA sample (not available yet but I bet someone is working on it $$$) it is not changeable when compromised.

    Any entity that thinks biometrics is a reasonable way to allow access to anything needs to be investigated for their lack of thinking.

    link to this | view in thread ]

  2. icon
    ECA (profile), 17 Sep 2018 @ 8:04pm

    i wonder..

    If the USA and other countries were as BAD as we say other nations are..
    Couldnt we grab this data file and use all the data to create credit applications and SPEND all that credit??

    link to this | view in thread ]

  3. identicon
    Mr Big Content, 17 Sep 2018 @ 8:51pm

    Software Patchers Are TERRORIST PORN PIRATES

    The answer is simple: just BAN these Unlicneced Software Patchers. Software SHOUDLNT BE ALLOWED unless its FULLY LEGAL! ENOUGH of all this FREE PIRATE SOTFWARE that is circluating around on Github and all these other Porn places. STOP RANDOM TOM DICK AND HARRY PEOPLE WRITING CODE NOW!!!

    link to this | view in thread ]

  4. icon
    That One Guy (profile), 17 Sep 2018 @ 9:28pm

    Fail to address one concern, only to raise another

    It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.

    With a system that valuable the fact that at least fifty thousand people who shouldn't have had access did they're hardly making it look better or more secure with that 'defense'.

    In addition the very important next question would be, 'of that fifty thousand, how many were blacklisted before they had a chance to make off with valuable data?' Because if they weren't stopped at the door then blacklisting them would very much be a case of shutting the barn doors after the horses escaped. Sure they can't access it again... with the same information/address... but if they already got what they wanted then losing that access isn't exactly going to do any good.

    link to this | view in thread ]

  5. identicon
    Jon Smythe, 18 Sep 2018 @ 5:58am

    Re: Software Patchers Are TERRORIST PORN PIRATES

    I honestly don't know if you are being sarcastic, or are just a complete and utter nuttjob.
    Care to elaborate on how you plan on preventing people from writing code?
    Or what por has to do with github?
    Does porn scare you? Do you stay up late nights thinking about porn?

    link to this | view in thread ]

  6. identicon
    James, 18 Sep 2018 @ 6:20am

    Re: Re: Software Patchers Are TERRORIST PORN PIRATES

    Obvious, has to be /s, no one is that crazy. Oh wait, it might be a serious post, does Chris Dodd (riaa/mpaa) post on this forum?

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 18 Sep 2018 @ 7:10am

    subvert the dominant paradigm, right?

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 18 Sep 2018 @ 7:32am

    Re: Re: Re: Software Patchers Are TERRORIST PORN PIRATES

    Mr Big Content has been providing his satire here for a while, funny stuff.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 18 Sep 2018 @ 7:35am

    Something something .. eggs in one basket

    The biometric cheerleaders will dismiss this as a nothing burger.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.