Update: UIDAI denied all reports of data hacking and said that no operator can make or update Aadhaar unless an individual gives biometrics details.
If you don't have Aadhaar number and want to generate one for yourself. Then you might just need Rs 2,500 to buy a software patch, which is a bunch of codes that will allow you to generate Aadhaar numbers at will.
According to HuffPost India report, based on a three-month investigation, the software patch helps disable critical security features of the software used to enroll new Aadhaar users.
The patch allows a user to bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers. It disables the enrolment software's inbuilt GPS security feature, which means anyone can use the software to enroll users from anywhere in the world.
It also further can weaken the sensitivity of the enrolment software iris-recognition system, which will allow users to spoof the software, the report quoted three internationally reputed experts as saying after analysing patches in their possession.
As per the experts, the security breach is because of an intrinsic problem with the fundamental structure of Aadhaar security system. The patch was assembled by grafting code from older versions of the Aadhaar enrolment software.
The patch is easily available. It can be installed just as any other software on a computer, and by changing certain Java libraries using cut-paste commands. Once installed, the patch reportedly helps enrolment operators to abandon the use of their fingerprints to access the enrolment software.
Payments are made through mobile wallets linked to phone numbers and it goes dead soon after the transactions are complete.
The development poses a threat to national security. As according to the Unique Identification Authority of India (UIDAI), about 121 crore Aadhaar card holders are in the country. It has been made one of the musts to have an ID for citizens.
Contrary to govt's claim, Aadhaar database security has been in question for years. It has been subject to leaks by various states and govt departments.
Among many leak reports, the one that stood out is The Tribune breach report in January that exposed access to Aadhaar data at Rs 500. In another instance, a sting operation by India Today revealed Aadhaar applicants data being sold at Rs 2-5 per record.
The leakage of data is a huge concern, which government has been unable to ensure.
Entrackr has reached out to UIDAI for reaction on the development. UIDAI said claims made in the report about Aadhaar being vulnerable to tampering leading to ghost entries in Aadhaar database by purportedly bypassing operators’ biometric authentication to generate multiple Aadhaar cards is totally baseless.
It said in a series of tweets.
#PressStatement
UIDAI hereby dismisses a news report appearing in social and online media about Aadhaar Enrolment Software being allegedly hacked as completely incorrect and irresponsible. 1/n— Aadhaar (@UIDAI) September 11, 2018
Its further claim “to introduce information” into Aadhaar database is completely unfounded as UIDAI matches all the biometric (10 fingerprints and both iris) of a resident enrolling for Aadhaar with the biometrics of all Aadhaar holders before issuing an Aadhaar. 5/n
— Aadhaar (@UIDAI) September 11, 2018
At present, UIDAI is working on a face recognition facility. It is aimed to bolster security by verifying users through facial recognition alongside iris and fingerprint scan.