Identity Project

How secure is Aadhaar? Gang arrested in Uttar Pradesh cloned its enrolment software

The Aadhaar authority, however, continues to maintain that the gang’s operation did not affect its database and processing system.

The Unique Identity Development Authority of India has always insisted that its database, which holds the biometrics of around 1.17 billion Indian residents, has never been breached.

However, a different vulnerability for India’s controversial unique identity project, also known as Aadhaar, was revealed last week when the police busted a racket in Kanpur, Uttar Pradesh, whose operators had cloned the Aadhaar client application. According to the police, the gang sold this replica to people, which potentially allowed them to run unauthorised enrolment centres where illegitimate Aadhaar numbers could be generated. Aadhaar is the 12-digit biometrically linked unique identification number that the government wants every Indian resident to have

The gang may have been caught after a complaint by the Unique Identity Development Authority of India – with 10 people arrested – but cyber security experts say the incident should bring the focus back on the state of security of the entire Aadhaar ecosystem, which has been plagued with leaks.

The Aadhaar authority, however, continues to maintain that the gang’s operation did not affect its database and processing system.

Responding to the arrests, the Unique Identity Development Authority of India said in a statement on Tuesday that it had noticed an unusually high number of logins into the client application by a few authorised operators, after which it filed a complaint with the police on August 16. It said: “The attempt to generate fake Aadhaar cards was foiled by the robust UIDAI system and the arrested gang could not succeed in its nefarious and illegal designs.”

The police is yet to ascertain the gang’s scale of operations. For this, it will need to establish how many people the gang sold the replica application to. The police would also have to facilitate an enrolment audit, a task in which the Unique Identity Development Authority of India will have to determine which Aadhaar numbers were generated by unauthorised persons using the cloned app.

Elaborate operation

The Aadhaar client application is only provided to authorised enrolment centres. Its operators are required to log in through a biometric system in which their fingerprints are scanned to check if they are authorised.

The members of the gang allegedly made copies of the login details of registered operators, including their fingerprints, and gained unauthorised access to the application, the police said. The fingerprints were replicated with the help of butter paper, and treated with chemicals and ultraviolet rays at different temperatures to create a mould using gelatin gel and latex, it said.

A few months ago, the Aadhaar authority added another layer of security to the login process for enrolment operators, making iris recognition mandatory for them to access the client application, the police said.

“But by then it was too late,” said Triveni Singh, additional superintendent of police with the Uttar Pradesh police’s Special Task Force. “The gang had already created a replica of the client application in which they had bypassed both the fingerprint and iris recognition requirements, and had started selling copies of the replica for Rs 5,000 each to individuals.”

Individuals who purchased the cloned application could log into the system using the basic login details of registered enrolment operators, which the gang members shared with them. Because the application had been altered, the biometric requirements were no longer mandatory, the police said.

“We are yet to track down the individuals to whom the cloned client application was sold,” said Singh. “Only then we will be able to ascertain details of the illegitimate Aadhaar enrolments they had carried out,” he added.

(Photo credit: Wikimedia Commons).
(Photo credit: Wikimedia Commons).

Cyber security of the Aadhaar ecosystem

According to cyber security expert Pavan Duggal, the cloning racket is a wake-up call for the Unique Identity Development Authority of India. “It has exposed the inadequacy of the Aadhaar framework in terms of cyber security,” he said. “Fishing out unauthorised Aadhaar cards, if any, from the system will be a massive challenge. The incident definitely raises concerns about the cyber security of the Aadhaar ecosystem, which the Aadhaar Act is silent about.”

He said that when the Aadhaar Act was enacted in 2016 the government’s plans to link Aadhaar with bank accounts, permanent account numbers, mobile phone numbers and so on, were not in place. Now Aadhaar has become part of an ecosystem in cyber space and it remains unprotected, he said. “The law has to be amended to take care of that,” he added.

Leaked source code

But how was it possible to make a clone of the client application so easily?

“The gang members had access to the source code of the original Aadhaar client application,” Triveni Singh said. “They tampered with it slightly just to bypass the biometric requirements for the login. It looks like they were helped by someone who is an expert in software development. We also suspect the involvement of an UIDAI [Unique Identity Development Authority of India] insider.”

The source code is a set of computer instructions to build an application, written in a readable programming language.

According to cyber security expert Kislay Chaudhary, who works as a consultant with several government agencies, tampering with the source code of a website or application and creating a duplicate with little modifications is easy.

“The strength of any source code depends on the expertise of the software developers and web developers hired by an agency to design an application or website,” he said. “Many government agencies have websites that are literally copy-paste models, with their source codes almost entirely borrowed from others. They can be easily replicated.”

He added that the Kanpur cloning has clearly exposed the vulnerability of Aadhaar as far as cyber security is concerned, and that it was high time the Unique Identity Development Authority of India came out of its state of denial.

UIDAI’s statement

In its statement, besides claiming that its inbuilt safeguards were responsible for foiling the racket, the Unique Identification Authority of India drew attention to its efforts to put an end to malpractices. It said it conducts regular field investigations, and based on these investigations, operators and supervisors found involved in malpractices are blacklisted for up to five years, and even fined. It added that in the past nine months it has blacklisted around 49,000 operators for corrupt practices and fined 6,566 operators for overcharging to issue Aadhaar numbers.

We welcome your comments at letters@scroll.in.
Sponsored Content BY 

“My body instantly craves chai and samosa”

German expats talk about adapting to India, and the surprising similarities between the two cultures.

The cultural similarities between Germany and India are well known, especially with regards to the language. Linguists believe that Sanskrit and German share the same Indo-Germanic heritage of languages. A quick comparison indeed holds up theory - ratha in Sanskrit (chariot) is rad in German, aksha (axle) in Sanskrit is achse in German and so on. Germans have long held a fascination for Indology and Sanskrit. While Max Müller is still admired for his translation of ancient Indian scriptures, other German intellectuals such as Goethe, Herder and Schlegel were deeply influenced by Kalidasa. His poetry is said to have informed Goethe’s plays, and inspired Schlegel to eventually introduce formal Indology in Germany. Beyond the arts and academia, Indian influences even found their way into German fast food! Indians would recognise the famous German curry powder as a modification of the Indian masala mix. It’s most popular application is the currywurst - fried sausage covered in curried ketchup.

It is no wonder then that German travellers in India find a quite a lot in common between the two cultures, even today. Some, especially those who’ve settled here, even confess to Indian culture growing on them with time. Isabelle, like most travellers, first came to India to explore the country’s rich heritage. She returned the following year as an exchange student, and a couple of years later found herself working for an Indian consultancy firm. When asked what prompted her to stay on, Isabelle said, “I love the market dynamics here, working here is so much fun. Anywhere else would seem boring compared to India.” Having cofounded a company, she eventually realised her entrepreneurial dream here and now resides in Goa with her husband.

Isabelle says there are several aspects of life in India that remind her of home. “How we interact with our everyday life is similar in both Germany and India. Separate house slippers to wear at home, the celebration of food and festivals, the importance of friendship…” She feels Germany and India share the same spirit especially in terms of festivities. “We love food and we love celebrating food. There is an entire countdown to Christmas. Every day there is some dinner or get-together,” much like how Indians excitedly countdown to Navratri or Diwali. Franziska, who was born in India to German parents, adds that both the countries exhibit the same kind of passion for their favourite sport. “In India, they support cricket like anything while in Germany it would be football.”

Having lived in India for almost a decade, Isabelle has also noticed some broad similarities in the way children are brought up in the two countries. “We have a saying in South Germany ‘Schaffe Schaffe Hausle baue’ that loosely translates to ‘work, work, work and build a house’. I found that parents here have a similar outlook…to teach their children to work hard. They feel that they’ve fulfilled their duty only once the children have moved out or gotten married. Also, my mother never let me leave the house without a big breakfast. It’s the same here.” The importance given to the care of the family is one similarity that came up again and again in conversations with all German expats.

While most people wouldn’t draw parallels between German and Indian discipline (or lack thereof), Germans married to Indians have found a way to bridge the gap. Take for example, Ilka, who thinks that the famed differences of discipline between the two cultures actually works to her marital advantage. She sees the difference as Germans being highly planning-oriented; while Indians are more flexible in their approach. Ilka and her husband balance each other out in several ways. She says, like most Germans, she too tends to get stressed when her plans don’t work out, but her husband calms her down.

Consequently, Ilka feels India is “so full of life. The social life here is more happening; people smile at you, bond over food and are much more relaxed.” Isabelle, too, can attest to Indians’ friendliness. When asked about an Indian characteristic that makes her feel most at home, she quickly answers “humour.” “Whether it’s a taxi driver or someone I’m meeting professionally, I’ve learnt that it’s easy to lighten the mood here by just cracking a few jokes. Indians love to laugh,” she adds.

Indeed, these Germans-who-never-left as just diehard Indophiles are more Indian than you’d guess at first, having even developed some classic Indian skills with time. Ilka assures us that her husband can’t bargain as well as she does, and that she can even drape a saree on her own.

Isabelle, meanwhile, feels some amount of Indianness has seeped into her because “whenever its raining, my body instantly craves chai and samosa”.

Like the long-settled German expats in India, the German airline, Lufthansa, too has incorporated some quintessential aspects of Indian culture in its service. Recognising the centuries-old cultural affinity between the two countries, Lufthansa now provides a rich experience of Indian hospitality to all flyers on board its flights to and from India. You can expect a greeting of Namaste by an all-Indian crew, Indian food, and popular Indian in-flight entertainment options. And as the video shows, India’s culture and hospitality have been internalized by Lufthansa to the extent that they are More Indian Than You Think. To experience Lufthansa’s hospitality on your next trip abroad, click here.

Play

This article was produced by the Scroll marketing team on behalf of Lufthansa as part of their More Indian Than You Think initiative and not by the Scroll editorial team.