A cheap patch for the enrollment software from the Indian government system Aadhaar makes it possible to reduce the security requirements of the software in order to create identities within the system more easily. The patch circulates on WhatsApp.
The Indian edition of HuffPost reports that these are the findings of a private investigation that took three months. The newspaper has consulted various security researchers and they confirm the findings. The patch is available in a large number of WhatsApp groups for an amount of 2500 rupees, approximately 30 euros.
The patch is intended for the enrollment software of the so-called Aadhaar system. That software is used to generate a twelve-digit number in the government system. This can then be linked to other data, such as fingerprints and iris scans. HuffPost reports that due to the simple availability of the patch, the integrity of the data in the Aadhaar database is compromised.
With the patch it would be possible for ‘everyone in the world’ to generate Aadhaar numbers. The site writes: “This has significant consequences for national security, especially now that the Indian government has tried to make Aadhaar numbers the gold standard for the identification of citizens and to make them obligatory for the use of a mobile phone or access Obtain a bank account. ”
HuffPost explains that the government decided in 2010 to outsource the registration of people in the Aadhaar system to private parties, so that this would be faster. These parties were provided with the so-called Enrollment Client Multi-Platform software, which they had to install on their computers. The registration could also be done by village-level computer kiosks, which until February of this year were good for a total of 180 million registrations. In the same month, the government only decided to have banks and government agencies implement Aadhaar notifications, because of concerns about corruption. As a result, many people lost work and WhatsApp groups were created to be able to use the software.
One of the security experts interviewed told the site that it had been safer to build a web-based system . That idea was rejected, however, because large parts of India had bad internet. The software does have security measures. For example, a computer must first be registered before it could be used for enrollment the administrator must issue an iris scan or fingerprint for verification and the computer must be connected to a GPS module to determine the location.  According to HuffPost, the patch makes it possible to circumvent these measures. For example, the biometric authentication can be switched off, just like checking an existing GPS module. In addition, the requirements for an iris scan are reduced, making the software easier to fool with, for example, a photo. The installation of the patch would not be difficult, the site speaks of ‘cutting and pasting files’. Indian government agencies have so far not responded to questions from HuffPost. One of the surveyed experts told the site that the creation of Aadhaar numbers could, for example, lead to fraud with rations, which are allocated per person.
The Aadhaar data are managed by the so-called Unique Identification Authority of India, or in other words Uidai. A registration in the system serves as proof of identity but not as proof of citizenship. The system is controversial, partly due to doubts about the security and feasibility of the objectives, such as the elimination of duplicate and false identities and quick and simple verification. The first issue was issued in 2010 and by now about 1.2 billion numbers have been issued to more than 1.3 billion inhabitants of India.