NEW DELHI—On 10 September, HuffPost India revealed that an inexpensive, freely available, software patch had critically undermined the integrity of India's controversial Aadhaar identity database by letting unauthorised persons, based anywhere in the world, alter information stored in the database and enrol new users at will.
The Unique Identification Authority of India (UIDAI), the agency responsible for Aadhaar, dismissed the story in a series of tweets. HuffPost Indianoted that the authority had not responded to the key points raised by our article.
Now, analysis by Orlando Padilla, founder of NoMotion Software LLC, a specialised cybersecurity firm that has worked on network security for the Olympics, the Israeli police, aerospace and defence companies like Northrop Grumman, and the US Department of Homeland Security, reveals the hackers made 26 separate code-level changes to the enrolment software—reiterating concerns that the hack is the work of skilled and sophisticated adversaries working to a clear plan.
One key additional change noted by Padilla is that the software also overrides biometric security features associated with enrolment supervisors—who are responsible for overseeing the actions of enrolment operators.
(Padilla analysed the patch on HuffPost India's request, but his analysis came in a little after our publishing schedule, which is why it wasn't included in the original article.)
The full list of changes is published in the latter section of this article, but to appreciate them, we urge our readers to go through the context below.
In this post, HuffPost India will also address the UIDAI's comments in greater detail, and respond to questions raised by readers in messages and emails to our reporters.
Internationally reputed experts, who analysed the malicious patch, told HuffPost India three things:
A malicious patch, sold on WhatsApp for as little as Rs 2,500, lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.
The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.
The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
Once you sift through the ad hominem attacks and blanket assertions, the core of the UIDAI's argument lies in the following tweets:
...the same is identified by the robust backend system of UIDAI, and all such enrolment packets get rejected and no Aadhaar is generated. 15/n
— Aadhaar (@UIDAI) September 11, 2018
The tweets suggest that the UIDAI is banking on the paucity of public information on the enrolment process to make a series of unsupported claims about the security of its systems.
To understand the nature of the hack, and why the UIDAI needs to substantiate its denials, we need to understand how the Enrolment Client Multi-Platform or (ECMP)—the software attacked by the hackers—works.
The ECMP is, in UIDAI parlance, an "offline client", meaning the system can enrol users and update their information without an active internet connection—for instance, a rural area with poor connectivity.
The software saves changes locally, on the computer on which it is installed, and then uploads the information once an internet connection is available.
The ECMP's key security feature is a requirement that an authorised operator, and if needed her supervisor, biometrically "sign off" on enrolments and updates to Aadhaar information by pressing their finger onto a biometric reader. Once the operator or supervisor sign off, the ECMP creates a file, called an enrolment packet, which is then sent to UIDAI servers.
The UIDAI claims that their back-end software analyses both the enrolment packet and the cluster of information attached to the packet—called meta-data.
The crucial question is — what is the enrolment meta-data collected by the UIDAI?
Is the meta-data a record of actions performed by the operator — for instance, a biometric sign-off from an authorised machine?
Does the meta-data include a time-stamped image, or image template, of the operator's biometrics captured in real time?
The UIDAI must provide an answer.
Publicly available UIDAI documents, and interviews with experts who have examined the enrolment client, suggest the former: the meta-data is likely a record of an offline process in which the biometric sign-off of the enrolment operator is matched against her biometrics stored locally on the hard-drive of the computer doing the enrolment.
How do we know this? Because the UIDAI tells us.
This document, titled Installation and Configuration of Aadhaar Enrolment Client, for instance, makes clear that the process of registering an authorised enrolment operator involves downloading her biometrics onto a certified enrolment computer:
The software patch attacks precisely this vulnerability—that biometric sign-off is an offline process that can be spoofed so that enrolment packets created by the hacked software are indistinguishable from the real thing.
If the UIDAI has a way to distinguish between these packets, they must provide clear code, and process-level evidence.
At this stage, it is worth noting that HuffPost India offered to send the UIDAI the patch three months prior to publishing the story. The UIDAI chose not to engage, and published a rebuttal hours after the story was published—without analysing the code.
It seems the UIDAI is aware that bypassing biometric sign-offs is technically possible because another enrolment training module lays out putative fines for doing so.
In HuffPost India's original story, we reported on how the malicious software patch made three key functional changes to the enrolment software.
Now a deep analysis by Padilla, one of the experts approached by HuffPost India, has pointed to 26 verified, and two partially verified, changes to the software.
Most of the changes, Padilla's analysis reveals, have been effected by altering 4 ".jar" files in the enrolment software's Java library.
HuffPost India is withholding the names of the jar files to preserve what little security the UIDAI's software still has.
The verified changes in code translate into the following changes in functionality:
- All biometric authentication disabled.
- Operators can log in without biometric authentication.
- Supervisor biometric authentication can also be over-ridden.
- Login Failure has been patched to allow operators to log in even when their authentication fails.
- Iris authentication for operators has been disabled.
- Login time-out sessions have been removed, to allow an operator to remain logged into the enrolment software indefinitely.
- A cluster of changes affects timezone functionality. Particularly, a feature that checks if the software is running on Indian Standard Time (one of the ways the software determines location) has been disabled.
- A tracker, measuring the number of fingerprint mismatches, has been removed.
- Three changes relate to how the software checks the validity of enrolment packets and syncs with UIDAI servers.
- The system has been changed to accept Aadhaar numbers that begin with zero and one. (Real Aadhaar numbers never begin with zero or one, so this change is mystifying).
- A Java integrity check—which checks if the software library has been altered—has been removed.
Use Case Proof
Some of our readers, some journalists, and some panelists on television, have called upon HuffPost India to prove that the patch works. We cannot do that as it is a crime to upload fraudulent data into the Aadhaar database. We also cannot ask someone to do it on our behalf, as we would then be abetting a crime.
There is only one organisation that can follow the movement of a biometric packet from the moment of its creation to the final generation of the Aadhaar number: the UIDAI, which is why it needs to take threats to its systems very seriously.
The existence of a software patch—with clearly malicious functionality verified by a panel of experts—cannot be wished away.
Gustaf Björksten, the Chief Technologist at Access Now who was extensively quoted in our investigation, told our reporters that the patch is comprehensive in its scale, and represents a significant investment in time and resources. Padilla of NoMotion has verified and validated many of these code-level changes. Dan Wallach, an expert in security of voting machines and wireless and network security at Rice University, Texas, has endorsed these findings.
It is now up to the UIDAI to stop protecting itself and to step up and protect the security of the billion Indians coerced into sharing their biometrics and personal information with its database.
As legal theorist Usha Ramnathan has noted, "There is a misconception that data protection is about data being at risk. It is actually about the rights of people being at risk."
Finally, today's papers carried news that two Pakistani militants killed in Kashmir had Aadhaar cards. We wonder how they got them.