Software Patch Claimed To Allow Aadhaar's Security To Be Bypassed, Calling Into Question Biometric Database's Integrity

from the but-it's-ok,-we-already-blacklisted-the-50,000-rogue-operators-that-we-found dept

Earlier this year, we wrote about what seemed to be a fairly serious breach of security at the world’s largest biometric database, India’s Aadhaar. The Indian edition of Huffington Post now reports on what looks like an even more grave problem:

The authenticity of the data stored in India’s controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.

According to the article, the patch can be bought for just Rs 2,500 (around $35). The easy-to-install software removes three critical security features of Aadhaar:

The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.

The patch disables the enrolment software’s in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.

The patch reduces the sensitivity of the enrolment software’s iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.

As the Huffington Post article explains, creating a patch that is able to circumvent the main security features in this way was possible thanks to design choices made early on in the project. The unprecedented scale of the Aadhaar enrollment process — so far around 1.2 billion people have been given an Aadhaar number and added to the database — meant that a large number of private agencies and village-level computer kiosks were used for registration. Since connectivity was often poor, the main software was installed on local computers, rather than being run in the cloud. The patch can be used by anyone with local access to the computer system, and simply involves replacing a folder of Java libraries with versions lacking the security checks.

The Unique Identification Authority of India (UIDAI), the government body responsible for the Aadhaar project, has responded to the Huffington Post article, but in a rather odd way: as a Donald Trump-like stream of tweets. The Huffington Post points out: “[the UIDAI] has simply stated that its systems are completely secure without any supporting evidence.” One of the Aadhaar tweets is as follows:

It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.

The need to throw 50,000 operators off the system hardly inspires confidence in its overall security. What makes things worse is that the Indian government seems determined to make Aadhaar indispensable for Indian citizens who want to deal with it in any way, and to encourage business to do the same. Given the continuing questions about Aadhaar’s overall security and integrity, that seems unwise, to say the least.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Software Patch Claimed To Allow Aadhaar's Security To Be Bypassed, Calling Into Question Biometric Database's Integrity”

Subscribe: RSS Leave a comment
Anonymous Anonymous Coward (profile) says:

Money causes they system to be sold...

…but no amount of money can fix the problems incurred.

As has been stated many times, here on Techdirt and elsewhere, biometrics is is username, not a password. When the system uses biometrics as the password, and the ‘password’ becomes compromised, how in the hell does one change it? Fingerprint, eye scan, even a DNA sample (not available yet but I bet someone is working on it $$$) it is not changeable when compromised.

Any entity that thinks biometrics is a reasonable way to allow access to anything needs to be investigated for their lack of thinking.

Mr Big Content says:


The answer is simple: just BAN these Unlicneced Software Patchers. Software SHOUDLNT BE ALLOWED unless its FULLY LEGAL! ENOUGH of all this FREE PIRATE SOTFWARE that is circluating around on Github and all these other Porn places. STOP RANDOM TOM DICK AND HARRY PEOPLE WRITING CODE NOW!!!

Jon Smythe says:

Re: Software Patchers Are TERRORIST PORN PIRATES

I honestly don’t know if you are being sarcastic, or are just a complete and utter nuttjob.
Care to elaborate on how you plan on preventing people from writing code?
Or what por has to do with github?
Does porn scare you? Do you stay up late nights thinking about porn?

That One Guy (profile) says:

Fail to address one concern, only to raise another

It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.

With a system that valuable the fact that at least fifty thousand people who shouldn’t have had access did they’re hardly making it look better or more secure with that ‘defense’.

In addition the very important next question would be, ‘of that fifty thousand, how many were blacklisted before they had a chance to make off with valuable data?’ Because if they weren’t stopped at the door then blacklisting them would very much be a case of shutting the barn doors after the horses escaped. Sure they can’t access it again… with the same information/address… but if they already got what they wanted then losing that access isn’t exactly going to do any good.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...