Your Worst Fears Are Realized: Aadhaar Has Been Hacked With A Rs 2,500 Software Patch

Source: https://www.google.co.in/amp/s/amp.indiatimes.com/technology/news/your-worst-fears-are-realized-aadhaar-has-been-hacked-with-a-rs-2-500-software-patch-352859.html

According to HuffPost India, Aadhar has been breached by a simple patch for the enrollment software, one that’s available for as little as the price of a domestic flight ticket. In a three-month-long investigation, the publication managed to get a hold of said patch and had it analysed by both Indian and foreign cybersecurity experts. 

The judgement was unanimous: Aadhaar can been hacked.

A patch for the Aadhaar enrollment exists that can obtained for as little as Rs 2,500. It allows someone located anywhere in the world to generate a unique 12-digit Aadhaar number at will. It lets a user bypass the core security feature of biometric authentication (fingerprints) of operators, thus allowing someone to generate an unauthorised Aadhaar number freely. It also disables the software’s GPS module, which is supposed to identify the physical location of an enrolment centre, thus allowing someone in another country to generate a fake ID. Lastly, it also tweaks and weakens the iris-recognition system in the software, making it easier to spoof with a photograph of the registered enrollment operator rather than needing them to be present.

As such the personal and biometric data of billions of Indians, your data, is now compromised. Not to mention of course the national security implications this raises. Even worse is that, in addition to the low price of the patch, it’s pretty easily available simply by by joining one of the many WhatsApp groups where it is being sold. Once you have that, all you need to do is install the enrollment software and patch and you’re good to go.

Basically, someone with their hands on this can’t view data, but add any kind of data in the Central Repository Database, including addresses,mobile numbers, and bank details. Worse, the experts quoted in the piece say the exploit preys on design flaws incorporated during Aadhaar’s inception. This was back in 2010 when the government, wanting to speed up enrollment, allowed private third-party agencies to conduct them as well. In addition, the platform designed for it was installed locally to computers around the country, as opposed to being conducted on UIDAI’s servers for instance, which would have made it more secure.