New Delhi: Modified or ‘jailbroken’ versions of Aadhaar enrolment software – which can theoretically be used by anybody to add new entries to the UID database or modify their own existing entries – are being sold by rogue operators for Rs 500 to Rs 2,000, according to a report published on Tuesday by Asia Times.
If correct, this cracked software could allow anyone to create new Aadhaar numbers without accompanying identity proof or documentation, leading to major national security implications.
The official enrolment software, known as ECMP, was developed to allow authorised operators to register people so that they could get an Aadhaar number.
Given the sensitive nature of the data that flows through the software, ECMP came with two safeguards. One, it asks for the biometrics of the authorised operator and two, it uses geolocation data to ensure that the data being collected is being done by someone with authorisation and that the process is being carried out a secure and mandated location.
It appears that these safeguards have now been compromised.
“Messages posted in several WhatsApp groups among Punjab-based operators began to surface at the end of last year, offering to sell a “jailbreak” version of the software. This version, to be installed on the laptops of anyone willing to pay the amount, could bypass the biometric and geo-location safeguards,” the report notes.
“This basically meant that anyone posing as an “authorised operator” could make changes to the data and enrol new people from anywhere and pass their information off as legitimate. This is easier as the number is only proof of residency and not citizenship,” the report adds.
According to the report, the Unique Identification Authority of India (UIDAI) and state police across the country have already in the last six months received complaints of criminal groups bypassing the biometric safeguards of the software.
What are the implications?
There are two broad implications for national security from this vulnerability.
Firstly, as the Asia Times report points out, it could theoretically allow the creation of new Aadhaar numbers for fake people, ghosts or worse, even foreign nationals and potential terrorists who have never even visited India.
Secondly, it allows anyone with access to the cracked software to update their own Aadhaar information, such as address details, without any checks or validation from the authorities.
According to the report, at least three separate attempts by different parties have been made to inform the UIDAI of the security loophole in the enrolment software, but the Aadhaar agency is yet to respond.