Patch Reportedly Opens Door to Fake Aadhaar EntriesNews Report on Patch Raises Questions About Access Management
The issue of access management and vulnerable software applications has come back to haunt the Unique Identification Authority of India, which manages the Aadhaar database containing biometrics and personal information of over 1 billion Indians.
According to a report by Huffington Post India, the UIDAI has been compromised by a software patch that disables critical security features of the software used for enrolling new Aadhaar users.
The report says the patch, which is available for $35, allows unauthorized persons, based anywhere in the world, to generate Aadhaar numbers at will.
Some security experts had already earlier brought the issue to the attention of the UIDAI. In response, the authority stated that "actual Aadhaar data is stored in a vault which is offline. What is [accessible as a result of the patch] is a hash of biometric data, which is of no use to hackers."
ISMG reached out to UIDAI for comment but did not receive any response.
If the Huffington Post report proves accurate, it has significant implications to national security, especially because the patch reportedly allows fake users to get enrolled, defeating the very purpose for which Aadhaar was established - to reduce corruption, track black money and eliminate fraud and identity theft. It also means that the Aadhaar database is vulnerable to the same problems of ghost entries as any other government database.
The Vulnerable Software Patch
Organizations routinely patch software to install updates. But in this case, a patch was reportedly used to introduce a vulnerability. According to the Huffington Post report, the patch:
- Enables a user to bypass critical security features, such as biometric authentication of enrollment operators, to generate unauthorized Aadhaar numbers;
- Disables the enrollment software's built-in GPS security feature, used to identify the physical location of every enrolment center, which means anyone anywhere in the world could use the software to enroll users.
- Reduces the sensitivity of the enrollment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present.
One security expert with knowledge of the situation, who asked to remain unnamed, claims that the UIDAI can't do much about the patch because fixing it would require a change in Aadhaar's software design. "This kind of Aadhaar hack is very old and gets updated for every new version of the enrollment software," the expert says "The software patch is unusual as it doesn't seek to access information stored in the Aadhaar database, but looks to introduce information into it."
One ongoing issue with Aadhaar is that UIDAI gave authority to too many agencies to enroll users.
Last year the UIDAI admitted that mistake and eliminated 49,000 enrollment centers for various violations. And in February 2018, the UIDAI terminated all contracts with common service centers as well. Now it allows only government banks and post offices to carry out the procedure.
But UIDAI must further tighten the enrollment with mechanisms to help determine if fake data or repeat data has been entered (see: Aadhaar Security: How Can It Be Fixed?).
Anand Padmanabhan, a fellow at the Center for Policy Research, tells the Huffington Post that from 2008 to 2011, Aadhaar shifted from being a purely government project to one that increasingly relied on participation by private players, without addressing the security implications of giving poorly supervised private individuals the capability to access the end point - ie, the computers that connect to the UIDAI servers.
"Many cyber hacks happen on account of end point vulnerabilities," Padmanabhan said, "And by opening up the national identity database to private actors for easy on-boarding, the powers that be have exponentially heightened security threats."
The Aadhaar issue highlights how important is to have a security team involved with the development and operations team right at the beginning of the development process. Hopefully, Aadhaar's woes will encourage others to implement DevSecOps.