- A hack to bypass biometric authentication for Aadhaar enrolment is doing round across WhatsApp groups.
- The hack can bypass most of the required biometric and GPS authentications thereby allowing anyone in possession of the hack to run their own unauthorized Aadhaar enrolment center.
- Security experts and analysts have confirmed the authenticity of the hack but UIDAI is yet to comment on the matter.
In a highly alarming development, hackers have found a way to compromise the Aadhaar software and the ID database by disabling some of the security features of the enrolment software. An even more disturbing fact is that the hack is being widely circulated on WhatsApp for as little as Rs. 2,500 (US$35). This means unauthorized persons from anywhere in the world can generate Aadhaar numbers at will making it a security concern of national importance as Aadhaar authentication is being promoted as a one-stop solution for all forms of authentication.
The said patch was analyzed by HuffPost India with the help of three security experts along with two Indian analysts. The findings were as follows —
- The patch can bypass biometric authentication to generate unauthorized Aadhaar numbers.
- The patch disables the built-in GPS security feature so the location from where the unauthorized enrolment is happening cannot be traced.
- The patch was also found to reduce the iris recognition sensitivity, which means the operator's presence can be spoofed with just a photograph.
Anyone reading the above points will immediately understand the fundamental structure of Aadhaar authentication has been compromised. HuffPost India's experts say that fixing the flaw and any future ones would require in a complete overhaul of the structure of Aadhaar.
Bengaluru-based cybersecurity analyst Anand Venkatanarayanan, who was helping HuffPost India analyze the data shared his results with the National Critical Information Infrastructure Protection Center (NCIIPC) and said that the hack was possible because of implementing code from the older, less secure versions of the software on to newer versions.
HuffPost India reports a series of bad initial implementations led to the current security loophole in the Aadhaar enrolment. There are many Aadhaar operators who have paid Rs. 2,500 to source the hack and are running illegal enrolments. Payments are being received via UPI by using a temporary mobile number linked to a bank account. UIDAI and NCIIPI are yet to respond to this hack, which is actually even being used as we write this article.
While there are no signs of Aadhaar being retracted anytime soon, the very notion of a total overhaul poses an immense challenge before the Indian Government, which has laid out ambitious plans for using it as a one-stop shop for all citizen-centric services.