The Unique Identity Development Authority of India has always insisted that its database, which holds the biometrics of around 1.17 billion Indian residents, has never been breached.

However, a different vulnerability for India’s controversial unique identity project, also known as Aadhaar, was revealed last week when the police busted a racket in Kanpur, Uttar Pradesh, whose operators had cloned the Aadhaar client application. According to the police, the gang sold this replica to people, which potentially allowed them to run unauthorised enrolment centres where illegitimate Aadhaar numbers could be generated. Aadhaar is the 12-digit biometrically linked unique identification number that the government wants every Indian resident to have

The gang may have been caught after a complaint by the Unique Identity Development Authority of India – with 10 people arrested – but cyber security experts say the incident should bring the focus back on the state of security of the entire Aadhaar ecosystem, which has been plagued with leaks.

The Aadhaar authority, however, continues to maintain that the gang’s operation did not affect its database and processing system.

Responding to the arrests, the Unique Identity Development Authority of India said in a statement on Tuesday that it had noticed an unusually high number of logins into the client application by a few authorised operators, after which it filed a complaint with the police on August 16. It said: “The attempt to generate fake Aadhaar cards was foiled by the robust UIDAI system and the arrested gang could not succeed in its nefarious and illegal designs.”

The police is yet to ascertain the gang’s scale of operations. For this, it will need to establish how many people the gang sold the replica application to. The police would also have to facilitate an enrolment audit, a task in which the Unique Identity Development Authority of India will have to determine which Aadhaar numbers were generated by unauthorised persons using the cloned app.

Elaborate operation

The Aadhaar client application is only provided to authorised enrolment centres. Its operators are required to log in through a biometric system in which their fingerprints are scanned to check if they are authorised.

The members of the gang allegedly made copies of the login details of registered operators, including their fingerprints, and gained unauthorised access to the application, the police said. The fingerprints were replicated with the help of butter paper, and treated with chemicals and ultraviolet rays at different temperatures to create a mould using gelatin gel and latex, it said.

A few months ago, the Aadhaar authority added another layer of security to the login process for enrolment operators, making iris recognition mandatory for them to access the client application, the police said.

“But by then it was too late,” said Triveni Singh, additional superintendent of police with the Uttar Pradesh police’s Special Task Force. “The gang had already created a replica of the client application in which they had bypassed both the fingerprint and iris recognition requirements, and had started selling copies of the replica for Rs 5,000 each to individuals.”

Individuals who purchased the cloned application could log into the system using the basic login details of registered enrolment operators, which the gang members shared with them. Because the application had been altered, the biometric requirements were no longer mandatory, the police said.

“We are yet to track down the individuals to whom the cloned client application was sold,” said Singh. “Only then we will be able to ascertain details of the illegitimate Aadhaar enrolments they had carried out,” he added.

(Photo credit: Wikimedia Commons).

Cyber security of the Aadhaar ecosystem

According to cyber security expert Pavan Duggal, the cloning racket is a wake-up call for the Unique Identity Development Authority of India. “It has exposed the inadequacy of the Aadhaar framework in terms of cyber security,” he said. “Fishing out unauthorised Aadhaar cards, if any, from the system will be a massive challenge. The incident definitely raises concerns about the cyber security of the Aadhaar ecosystem, which the Aadhaar Act is silent about.”

He said that when the Aadhaar Act was enacted in 2016 the government’s plans to link Aadhaar with bank accounts, permanent account numbers, mobile phone numbers and so on, were not in place. Now Aadhaar has become part of an ecosystem in cyber space and it remains unprotected, he said. “The law has to be amended to take care of that,” he added.

Leaked source code

But how was it possible to make a clone of the client application so easily?

“The gang members had access to the source code of the original Aadhaar client application,” Triveni Singh said. “They tampered with it slightly just to bypass the biometric requirements for the login. It looks like they were helped by someone who is an expert in software development. We also suspect the involvement of an UIDAI [Unique Identity Development Authority of India] insider.”

The source code is a set of computer instructions to build an application, written in a readable programming language.

According to cyber security expert Kislay Chaudhary, who works as a consultant with several government agencies, tampering with the source code of a website or application and creating a duplicate with little modifications is easy.

“The strength of any source code depends on the expertise of the software developers and web developers hired by an agency to design an application or website,” he said. “Many government agencies have websites that are literally copy-paste models, with their source codes almost entirely borrowed from others. They can be easily replicated.”

He added that the Kanpur cloning has clearly exposed the vulnerability of Aadhaar as far as cyber security is concerned, and that it was high time the Unique Identity Development Authority of India came out of its state of denial.

UIDAI’s statement

In its statement, besides claiming that its inbuilt safeguards were responsible for foiling the racket, the Unique Identification Authority of India drew attention to its efforts to put an end to malpractices. It said it conducts regular field investigations, and based on these investigations, operators and supervisors found involved in malpractices are blacklisted for up to five years, and even fined. It added that in the past nine months it has blacklisted around 49,000 operators for corrupt practices and fined 6,566 operators for overcharging to issue Aadhaar numbers.