Software Patch Claimed To Allow Aadhaar's Security To Be Bypassed, Calling Into Question Biometric Database's Integrity
from the but-it's-ok,-we-already-blacklisted-the-50,000-rogue-operators-that-we-found dept
Earlier this year, we wrote about what seemed to be a fairly serious breach of security at the world’s largest biometric database, India’s Aadhaar. The Indian edition of Huffington Post now reports on what looks like an even more grave problem:
The authenticity of the data stored in India’s controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.
According to the article, the patch can be bought for just Rs 2,500 (around $35). The easy-to-install software removes three critical security features of Aadhaar:
The patch lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
The patch disables the enrolment software’s in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.
The patch reduces the sensitivity of the enrolment software’s iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
As the Huffington Post article explains, creating a patch that is able to circumvent the main security features in this way was possible thanks to design choices made early on in the project. The unprecedented scale of the Aadhaar enrollment process — so far around 1.2 billion people have been given an Aadhaar number and added to the database — meant that a large number of private agencies and village-level computer kiosks were used for registration. Since connectivity was often poor, the main software was installed on local computers, rather than being run in the cloud. The patch can be used by anyone with local access to the computer system, and simply involves replacing a folder of Java libraries with versions lacking the security checks.
The Unique Identification Authority of India (UIDAI), the government body responsible for the Aadhaar project, has responded to the Huffington Post article, but in a rather odd way: as a Donald Trump-like stream of tweets. The Huffington Post points out: “[the UIDAI] has simply stated that its systems are completely secure without any supporting evidence.” One of the Aadhaar tweets is as follows:
It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.
The need to throw 50,000 operators off the system hardly inspires confidence in its overall security. What makes things worse is that the Indian government seems determined to make Aadhaar indispensable for Indian citizens who want to deal with it in any way, and to encourage business to do the same. Given the continuing questions about Aadhaar’s overall security and integrity, that seems unwise, to say the least.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: aadhaar, biometrics, breach, india, privacy, security
Comments on “Software Patch Claimed To Allow Aadhaar's Security To Be Bypassed, Calling Into Question Biometric Database's Integrity”
Money causes they system to be sold...
…but no amount of money can fix the problems incurred.
As has been stated many times, here on Techdirt and elsewhere, biometrics is is username, not a password. When the system uses biometrics as the password, and the ‘password’ becomes compromised, how in the hell does one change it? Fingerprint, eye scan, even a DNA sample (not available yet but I bet someone is working on it $$$) it is not changeable when compromised.
Any entity that thinks biometrics is a reasonable way to allow access to anything needs to be investigated for their lack of thinking.
i wonder..
If the USA and other countries were as BAD as we say other nations are..
Couldnt we grab this data file and use all the data to create credit applications and SPEND all that credit??
Software Patchers Are TERRORIST PORN PIRATES
The answer is simple: just BAN these Unlicneced Software Patchers. Software SHOUDLNT BE ALLOWED unless its FULLY LEGAL! ENOUGH of all this FREE PIRATE SOTFWARE that is circluating around on Github and all these other Porn places. STOP RANDOM TOM DICK AND HARRY PEOPLE WRITING CODE NOW!!!
Re: Software Patchers Are TERRORIST PORN PIRATES
I honestly don’t know if you are being sarcastic, or are just a complete and utter nuttjob.
Care to elaborate on how you plan on preventing people from writing code?
Or what por has to do with github?
Does porn scare you? Do you stay up late nights thinking about porn?
Re: Re: Software Patchers Are TERRORIST PORN PIRATES
Obvious, has to be /s, no one is that crazy. Oh wait, it might be a serious post, does Chris Dodd (riaa/mpaa) post on this forum?
Re: Re: Re: Software Patchers Are TERRORIST PORN PIRATES
Mr Big Content has been providing his satire here for a while, funny stuff.
Fail to address one concern, only to raise another
It is because of this stringent and robust system that as on date more that 50,000 operators have been blacklisted, UIDAI added.
With a system that valuable the fact that at least fifty thousand people who shouldn’t have had access did they’re hardly making it look better or more secure with that ‘defense’.
In addition the very important next question would be, ‘of that fifty thousand, how many were blacklisted before they had a chance to make off with valuable data?’ Because if they weren’t stopped at the door then blacklisting them would very much be a case of shutting the barn doors after the horses escaped. Sure they can’t access it again… with the same information/address… but if they already got what they wanted then losing that access isn’t exactly going to do any good.
subvert the dominant paradigm, right?
Something something .. eggs in one basket
The biometric cheerleaders will dismiss this as a nothing burger.