India’s controversial biometric database, Aadhaar, has been once again compromised, according to a three-month investigation launched by HuffPost India.
In a report published Tuesday, HuffPost revealed the existence of a malicious patch said to disable critical security features, making it easier not only to create unauthorised Aadhaar numbers but to fool the system’s biometric recognition systems from virtually anywhere in the world.
The purpose of the patch, which is reportedly in widespread use and easily obtained for roughly ₹2500 (around $48), is not to grant access to information in the database; rather, it allows unauthorised users to introduce information to it — that is, create identities, potentially with fraudulent biometric data.
The Aadhaar system, launched in 2009, is the largest biometric program of its kind in the world, with more than one billion Indian residents enrolled. The 12-digit codes are assigned by the Unique Identification Authority of India (UIDAI) and links data from fingerprints and iris scans as a means to confirm the identities of anyone who works or resides in the country, including non-citizens.
The government’s intent was to create digital identities as a way to ensure access to welfare, health and education programs. The country hosts one of the largest populations of internal migrant workers, many of whom often carry no identification, making it difficult to prove who they are when travelling state to state.
The Aadhaar system has been widely criticised for its lack of regulatory framework. The identities of hundreds of millions of people were imperiled last year alone due to leaks of biometric data. In January, a group of journalists reported paying ₹500 ($10) to gain full administrative access to the database.
HuffPost India reports having acquired access to a patch that essentially reverts portions of the Aadhaar code using previous, less secure versions of the software. In one example of how security is downgraded by the patch, experts discovered code created to reduce the fail-rate for iris recognition, allowing the system to be fooled by a high-resolution photograph.
Installing the patch, which is apparently widely in use at enrolment centres, is said to be relatively simple. HuffPost reports:
Using the patch is as simple as installing the enrolment software on a PC, and replacing a folder of Java libraries using the standard Control C, Control V cut-paste commands familiar to any computer user.
Once the patch is installed, enrolment operators no longer need to provide their fingerprint to use the enrolment software, the GPS is disabled, and the sensitivity of the iris scanner is reduced. This means that a single operator can log into multiple machines at the same time, reducing the cost per enrolment, and increasing their profits.
Moreover, a single person using the patch would be able to create multiple entries in the Aadhaar database, reportedly allowing them, as one expert told HuffPost, to “siphon off rations of multiple people”.
After having their findings confirmed by multiple international and Indian experts, the reporters delivered their findings to the NCIIPC, or National Critical Information Infrastructure Protection Centre, the principal Indian government agency responsible for protecting the nation’s critical information infrastructure.
Neither the UIDAI nor the NCIIPC could be immediately reached for comment. HuffPost India reports Indian authorities were not responsive to inquiries.