News

UIDAI Says Reports On Aadhaar Software Hack Are ‘Incorrect’ And ‘Irresponsible’

Banks Can Continue Using Aadhaar ePS For Providing Welfare Scheme
SUMMARY

Reports surfaced that a software costing just $35 (INR 2,500) allows unauthorised persons to generate Aadhaar numbers at will

UIDAI claims all recorded biometrics of a person – 10 fingerprints and two irises – are matched with those in the system and validated before a 12-digit identity number is issued

UIDAI claims it has taken safeguard measures, including providing standardised software that encrypts all data before saving it to any disk

Inc42 Daily Brief

Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy

Even as the Supreme Court examines the constitutional validity of the Aadhaar Act, the unique identity system which records the data of over 1 Bn Indians remains vulnerable to security breaches.
Recently, reports surfaced that the Aadhaar database could be compromised with a cheap software patch costing as little as $35 (INR 2500) that disables critical security features used to enrol new users. However, the Unique Identification Authority of India (UIDAI) dismissed the reports as “completely incorrect and irresponsible” and said that no operator can make or update Aadhaar entries unless an individual furnishes his/her biometric details.
HuffPost India in a report dated September 11, claimed that “The patch — freely available for as little as around $35 (INR 2500) — allows unauthorised persons, based anywhere in the world, to generate Aadhaar numbers at will, and is still in widespread use.”
The report added that the patch bypasses critical security features such as biometric authentication of enrolment operators and the enrolment software’s inbuilt GPS security feature to generate unauthorised Aadhaar numbers. The patch allegedly reduces the sensitivity of the enrolment software’s iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
Following this, the UIDAI in a series of Tweets said that the claim that entries could be introduced into the Aadhaar database is completely unfounded because all the biometrics of a person — 10 fingerprints and two irises — are compared with those already in the system and validated before a unique 12-digit identity number is issued.
It said an operator’s biometrics and other parameters are checked before an enrolment or update and only after all checks are successful is it processed further.
Further, the UIDAI claimed that it has taken safeguard measures, including providing standardised software that encrypts all data even before saving it to any disk, protecting data using tamper proofing, identifying every one of the operators in “every” enrolment, and identifying every one of thousands of machines using a unique machine registration process, which ensures that every encrypted packet is tracked.
“Even in a hypothetical situation where, by some manipulative attempt, essential parameters such as operator’s biometrics or resident’s biometrics are not captured, blurred and such a ghost enrolment/update packet is sent to UIDAI, the same is identified by the robust backend system of UIDAI, and all such enrolment packets get rejected and no Aadhaar is generated. Also, the concerned enrolment machines and the operators are identified, blocked and blacklisted permanently from the UIDAI system. In appropriate cases, police complaints are also filed for such fraudulent attempts,” UIDAI said.
It added that similar allegations were made before the Supreme Court (SC) when the Constitution Bench heard the Aadhaar case and the UIDAI responded to them at the time.

The SC started its final hearing for constitutional validity of the Aadhaar Act in January, following which, in March 2018, the SC’s five-judge bench had asked UIDAI to prepare a powerpoint presentation in order to identify the loopholes in the Aadhaar Act 2016 and address the misgivings related to security of the data collected by the UIDAI.

UIDAI CEO Ajay Bhushan Pandey, while presenting before the Supreme Court, had explained that all the personal data stored by Aadhaar is encrypted and can’t be hacked. He went on to claim that “it would take more than the age of the universe to break one encryption.”

The UIDAI also said operators found violating its strict enrolment and update processes or indulging in fraudulent or corrupt practices are blocked and blacklisted and levied with a financial penalty of up to INR 1 Lakh per instance.
“It is because of this stringent and robust system that as on date more than 50,000 operators have been blacklisted,” the UIDAI added.
The development comes at a time when reports have surfaced that the personal data — names, PAN number, military ID numbers — of an undisclosed number of soldiers has been leaked and found to be publicly available on the websites of the defence ministry’s pay and account offices located across the country.

Earlier, the UIDAI mandated the use of face recognition for services such as the issuance of mobile SIM, banking services, public distribution system dole-outs, and marking of office attendance at government offices.

At the same time, the Delhi high court will hear a plea seeking damages from the authority for alleged failure to adopt adequate security measures that led to the controversial Aadhaar data leaks.

The Supreme Court’s decision in the case challenging the constitutional validity of Aadhaar is also expected soon.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

Inc42 Daily Brief

Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy

Recommended Stories for You