- May 01, 2018 Aadhaar enrollment operators use a software provided by the UIDAI, called ECMP (Enrollment Client Multi Platform), to collect or update an individuals information in the Aadhaar database.
- Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for.
New Delhi: Modified or ‘jailbroken’ versions of Aadhaar enrolment software – which can theoretically be used by anybody to add new entries to the UID database or modify their own existing entries – are being sold by rogue operators for Rs 500 to Rs 2,000, according to a report published on Tuesday by Asia Times.
If correct, this cracked software could allow anyone to create new Aadhaar numbers without accompanying identity proof or documentation, leading to major national security implications.
The official enrolment software, known as ECMP, was developed to allow authorised operators to register people so that they could get an Aadhaar number.
The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.
Given the sensitive nature of the data that flows through the software, ECMP came with two safeguards. One, it asks for the biometrics of the authorised operator and two, it uses geolocation data to ensure that the data being collected is being done by someone with authorisation and that the process is being carried out a secure and mandated location.
It appears that these safeguards have now been compromised.
“Messages posted in several WhatsApp groups among Punjab-based operators began to surface at the end of last year, offering to sell a “jailbreak” version of the software. This version, to be installed on the laptops of anyone willing to pay the amount, could bypass the biometric and geo-location safeguards,” the report notes.
“This basically meant that anyone posing as an “authorised operator” could make changes to the data and enrol new people from anywhere and pass their information off as legitimate. This is easier as the number is only proof of residency and not citizenship,” the report adds.
According to the report, the Unique Identification Authority of India (UIDAI) and state police across the country have already in the last six months received complaints of criminal groups bypassing the biometric safeguards of the software.
What are the implications?
There are two broad implications for national security from this vulnerability.
Firstly, as the Asia Times report points out, it could theoretically allow the creation of new Aadhaar numbers for fake people, ghosts or worse, even foreign nationals and potential terrorists who have never even visited India.
Secondly, it allows anyone with access to the cracked software to update their own Aadhaar information, such as address details, without any checks or validation from the authorities.
According to the report, at least three separate attempts by different parties have been made to inform the UIDAI of the security loophole in the enrolment software, but the Aadhaar agency is yet to respond.
Aadhaar enrollment operators use a software provided by the UIDAI to collect or update information about individuals to be entered or updated into the Aadhaar database. This software is called the ECMP (Enrollment Client Multi Platform) and the UIDAI has claimed in the Supreme Court that it is extremely secure, to the point that not even the enrollment operators have access to the biometrics collected by the software.
The software uses the Aadhaar operator’s biometrics to grant them access to perform enrollments or updation.
This software is now reported to be cracked and available to buy illegally in the form of a “jailbreak” version. WhatsApp groups of former Aadhaar operators have this software for sale for as little as Rs. 500 to 2000 a copy, Asia Times reports.
Details provided by the Asia Times report show that the security measures to prevent unauthorized access have been bypassed, as the cracked software comes preconfigured with valid biometrics and user credentials of authorized operators. A patch bypasses the geo-location constraints coded into the original software, allowing the illegal users to bypass checks that restrict access to authorized locations and centres.
If, this is correct, the UIDAI, may not be able to identify either those who created and distributed the software, or those who use it, as the identifying details being sent by the software are manipulated to reflect authorized operators.
The Asia Times claims to have had the software examined by two information security professionals who confirmed that the software had been successfully cracked and that the “Jailbreak” version of UIDAI’s ECMP software does indeed do what it promises – to allow anyone to access the system as an Aadhaar operator and register or update Aadhaar numbers as any authorized Aadhaar operator can do.
According to the experts Asia Times spoke with, who examined the cracked software, the disabling of UIDAI’s security is so complete that anyone could update the Aadhaar data from anywhere in the world without even have ever been to India.
This, of course is a better quality of cracked software than the one that bypassed iris authentication that was used in the Kanpur Aadhaar Enrolment Scam (Update: as well as in the Amroha Aadhaar Enrolment Scam)