AMN / NEW DELHI
Unique Identification Authority of India has dismissed news reports that Aadhaar Enrolment Software being vulnerable to hacking. The authority termed it as completely incorrect and irresponsible.
In a statement, the UIDAI said that certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted. It also said, claims made in the report about Aadhaar being vulnerable to tampering to generate multiple Aadhaar cards is thousand , .
The UIDAI said it has taken full measures to ensure end-to-end security of resident data, tamper resistance, physical security, access control and network security. The authority further clarified that no operator can make or Aadhaar unless resident himself give his biometric.
Therefore, it is not possible to introduce ghost entries into the Aadhaar database. UIDAI has also advised people to approach only the authorized Aadhaar enrolment centres in bank branches, post offices and Government offices for their enrollment and updation.
According to an investigation by HuffPost India, the UIDAI Aadhaar software used to enrol new users, and get them into the Aadhaar database, may have been subjected to a hack using a software patch that disabled critical security features. This software patch is reportedly available for as low as Rs 2,500 and allows unauthorised people to login as Aadhaar enrolment operators to register anyone and generate Aadhaar numbers, irrespective of the location from where the software is accessed.
This software patch basically compromises the inbuilt security features on the Aadhaar enrolment software on three fronts. First, it bypasses the need for authentication of the person using the software to enroll new people. Secondly, the patch disables the software’s inbuilt GPS security feature, letting anyone from anywhere access this software and enroll people. And finally, the patch reduces the sensitivity of the Aadhaar enrollment software’s iris recognition feature, thereby making it easier to manipulate the software using a photograph of the registered operator.
HuffPost India consulted with five experts to analyse and confirm the working mechanism of the patch. To prevent any more violations of the Aadhaar enrolment software via this patch, the entire enrolment system would have to be redesigned according to one expert.The report states that the vulnerability may have been inserted in the patch, during the time when Aadhaar enrolment software was used by private agencies to enrol people. According to a software architect at Mind Tree, a Bengaluru-based firm who worked on making the first Aadhaar enrolment software, which would be used by private Aadhaar operators registering citizens. Security measures such as biometric authentication, GPS location and more were added to the software back in 2010. But subsequent software patches introduced vulnerabilities around 2017 which would bypass these security measures.