A software hack that can bypass some critical security features of the Aadhaar enrolment platform is available on WhatsApp groups for as little as Rs 2,500, HuffPost India reported on Tuesday. The hack can help unauthorised people, based anywhere in the world, generate Aadhaar numbers at will.

Hundreds of videos by private enrolment operators, with steps on how to install the hack, are available on YouTube. Operators no longer authorised to enrol people for Aadhaar told HuffPost India they can still generate enrolment IDs using the hack. An operator can use it to log into multiple computers at the same time, reducing the enrolment cost and increasing profits. Normally, only authorised computers can register citizens for Aadhaar.

However, the Unique Identification Authority of India denied the claims as “completely incorrect and baseless”.

The hack can defeat many aims of Aadhaar, such as reducing corruption and eliminating fraud in government welfare schemes, experts were quoted as saying.

“If anybody is able to create an entry in the Aadhaar database, then potentially the person can create multiple Aadhaar cards,” Rajendran Narayanan, assistant professor at Bengaluru’s Azim Premji University, told HuffPost India. “Then the same person can siphon off rations of multiple people. Since there are fixed quotas for rations, this would mean that several genuine beneficiaries would be excluded.”

Former operators who admitted to generating enrolment IDs with the hack said they have tied up with people at authorised centres who complete the registration process for a fee. Generating an enrolment ID is only the first step in creating an Aadhaar entry.

The hack

The enrolment software, “Enrolment Client Multi-Platform”, developed by Mindtree, was installed on the computers of all operators to help citizens enrol for Aadhaar. Authorised operators needed to verify their fingerprint or iris scan to log in. The software also had a GPS device attached to ensure the enrolment was done in authorised centres.

The patch, however, lets users of the enrolment software bypass security features such as biometric authentication of operators, disables its GPS feature and reduces the sensitivity of its iris recognition system, according to HuffPost India. It began circulating among private authorised enrolment operators by early 2017.

Disabling the GPS feature can allow anyone anywhere to use the software to enrol users, while the hack to the iris recognition system means the authorised operator need not be present to authenticate the enrolment process – even though the Unique Identification Authority of India blacklisted 49,000 enrolment centres for various violations in 2017.

The hack and the login information for Aadhaar enrolment is available on thousands of WhatsApp groups for a fee, paid to mobile wallets linked to phone numbers that are deactivated soon after the transactions, according to HuffPost India.

Authorities from the National Critical Information Infrastructure Protection Centre and UIDAI did not respond to the website’s investigation.

Gustaf Björksten, a global technology policy expert, told the website: “Whoever created the patch was highly motivated to compromise Aadhaar. There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile. To have any hope of securing Aadhaar, the system design would have to be radically changed.”

Bengaluru-based cyber security analyst Anand Venkatanarayanan has shared his findings about the patch with the National Critical Information Infrastructure Protection Centre, a government agency.