Identity Project

How secure is Aadhaar? Gang arrested in Uttar Pradesh cloned its enrolment software

The Aadhaar authority, however, continues to maintain that the gang’s operation did not affect its database and processing system.

The Unique Identity Development Authority of India has always insisted that its database, which holds the biometrics of around 1.17 billion Indian residents, has never been breached.

However, a different vulnerability for India’s controversial unique identity project, also known as Aadhaar, was revealed last week when the police busted a racket in Kanpur, Uttar Pradesh, whose operators had cloned the Aadhaar client application. According to the police, the gang sold this replica to people, which potentially allowed them to run unauthorised enrolment centres where illegitimate Aadhaar numbers could be generated. Aadhaar is the 12-digit biometrically linked unique identification number that the government wants every Indian resident to have

The gang may have been caught after a complaint by the Unique Identity Development Authority of India – with 10 people arrested – but cyber security experts say the incident should bring the focus back on the state of security of the entire Aadhaar ecosystem, which has been plagued with leaks.

The Aadhaar authority, however, continues to maintain that the gang’s operation did not affect its database and processing system.

Responding to the arrests, the Unique Identity Development Authority of India said in a statement on Tuesday that it had noticed an unusually high number of logins into the client application by a few authorised operators, after which it filed a complaint with the police on August 16. It said: “The attempt to generate fake Aadhaar cards was foiled by the robust UIDAI system and the arrested gang could not succeed in its nefarious and illegal designs.”

The police is yet to ascertain the gang’s scale of operations. For this, it will need to establish how many people the gang sold the replica application to. The police would also have to facilitate an enrolment audit, a task in which the Unique Identity Development Authority of India will have to determine which Aadhaar numbers were generated by unauthorised persons using the cloned app.

Elaborate operation

The Aadhaar client application is only provided to authorised enrolment centres. Its operators are required to log in through a biometric system in which their fingerprints are scanned to check if they are authorised.

The members of the gang allegedly made copies of the login details of registered operators, including their fingerprints, and gained unauthorised access to the application, the police said. The fingerprints were replicated with the help of butter paper, and treated with chemicals and ultraviolet rays at different temperatures to create a mould using gelatin gel and latex, it said.

A few months ago, the Aadhaar authority added another layer of security to the login process for enrolment operators, making iris recognition mandatory for them to access the client application, the police said.

“But by then it was too late,” said Triveni Singh, additional superintendent of police with the Uttar Pradesh police’s Special Task Force. “The gang had already created a replica of the client application in which they had bypassed both the fingerprint and iris recognition requirements, and had started selling copies of the replica for Rs 5,000 each to individuals.”

Individuals who purchased the cloned application could log into the system using the basic login details of registered enrolment operators, which the gang members shared with them. Because the application had been altered, the biometric requirements were no longer mandatory, the police said.

“We are yet to track down the individuals to whom the cloned client application was sold,” said Singh. “Only then we will be able to ascertain details of the illegitimate Aadhaar enrolments they had carried out,” he added.

(Photo credit: Wikimedia Commons).
(Photo credit: Wikimedia Commons).

Cyber security of the Aadhaar ecosystem

According to cyber security expert Pavan Duggal, the cloning racket is a wake-up call for the Unique Identity Development Authority of India. “It has exposed the inadequacy of the Aadhaar framework in terms of cyber security,” he said. “Fishing out unauthorised Aadhaar cards, if any, from the system will be a massive challenge. The incident definitely raises concerns about the cyber security of the Aadhaar ecosystem, which the Aadhaar Act is silent about.”

He said that when the Aadhaar Act was enacted in 2016 the government’s plans to link Aadhaar with bank accounts, permanent account numbers, mobile phone numbers and so on, were not in place. Now Aadhaar has become part of an ecosystem in cyber space and it remains unprotected, he said. “The law has to be amended to take care of that,” he added.

Leaked source code

But how was it possible to make a clone of the client application so easily?

“The gang members had access to the source code of the original Aadhaar client application,” Triveni Singh said. “They tampered with it slightly just to bypass the biometric requirements for the login. It looks like they were helped by someone who is an expert in software development. We also suspect the involvement of an UIDAI [Unique Identity Development Authority of India] insider.”

The source code is a set of computer instructions to build an application, written in a readable programming language.

According to cyber security expert Kislay Chaudhary, who works as a consultant with several government agencies, tampering with the source code of a website or application and creating a duplicate with little modifications is easy.

“The strength of any source code depends on the expertise of the software developers and web developers hired by an agency to design an application or website,” he said. “Many government agencies have websites that are literally copy-paste models, with their source codes almost entirely borrowed from others. They can be easily replicated.”

He added that the Kanpur cloning has clearly exposed the vulnerability of Aadhaar as far as cyber security is concerned, and that it was high time the Unique Identity Development Authority of India came out of its state of denial.

UIDAI’s statement

In its statement, besides claiming that its inbuilt safeguards were responsible for foiling the racket, the Unique Identification Authority of India drew attention to its efforts to put an end to malpractices. It said it conducts regular field investigations, and based on these investigations, operators and supervisors found involved in malpractices are blacklisted for up to five years, and even fined. It added that in the past nine months it has blacklisted around 49,000 operators for corrupt practices and fined 6,566 operators for overcharging to issue Aadhaar numbers.

Support our journalism by subscribing to Scroll+ here. We welcome your comments at letters@scroll.in.
Sponsored Content BY 

Get ready for an 80-hour shopping marathon

Here are some tips that’ll help you take the lead.

Starting 16th July at 4:00pm, Flipkart will be hosting its Big Shopping Days sale over 3 days (till 19th July). This mega online shopping event is just what a sale should be, promising not just the best discounts but also buying options such as no cost EMIs, buyback guarantee and product exchanges. A shopping festival this big, packed with deals that you can’t get yourself to refuse, can get overwhelming. So don’t worry, we’re here to tell you why Big Shopping Days is the only sale you need, with these helpful hints and highlights.

Samsung Galaxy On Nxt (64 GB)

A host of entertainment options, latest security features and a 13 MP rear camera that has mastered light come packed in sleek metal unibody. The sale offers an almost 40% discount on the price. Moreover, there is a buyback guarantee which is part of the deal.

Original price: Rs. 17,900

Big Shopping Days price: Rs. 10,900

Samsung 32 inches HD Ready LED TV

Another blockbuster deal in the sale catalogue is this audio and visual delight. Apart from a discount of 41%, the deal promises no-cost EMIs up to 12 months.

Original price: Rs. 28,890

Big Shopping Days price: Rs. 10,900

Intel Core I3 equipped laptops

These laptops will make a thoughtful college send-off gift or any gift for that matter. Since the festive season is around the corner, you might want to make use of this sale to bring your A-game to family festivities.

Original price: Rs. 25,590

Big Shopping Days price: Rs. 21,900

Fashion

If you’ve been planning a mid-year wardrobe refresh, Flipkart’s got you covered. The Big Shopping Days offer 50% to 80% discount on men’s clothing. You can pick from a host of top brands including Adidas and Wrangler.

With more sale hours, Flipkart’s Big Shopping Days sale ensures we can spend more time perusing and purchasing these deals. Apart from the above-mentioned products, you can expect up to 80% discount across categories including mobiles, appliances, electronics, fashion, beauty, home and furniture.

Features like blockbuster deals that are refreshed every 8 hours along with a price crash, rush hour deals from 4-6 PM on the starting day and first-time product discounts makes this a shopping experience that will have you exclaiming “Sale ho to aisi! (warna na ho)”

Set your reminders and mark your calendar, Flipkart’s Big Shopping Days starts 16th July, 4 PM and end on 19th July. To participate in 80 hours of shopping madness, click here.

Play

This article was produced by the Scroll marketing team on behalf of Flipkart and not by the Scroll editorial team.