Security Market Segment LS
Wednesday, 12 September 2018 11:39

India's ID database compromised by patch costing $48

India's ID database compromised by patch costing $48 Pixabay

India's ambitious bid to collect the biometric details of its 1.3 billion people within a giant database - known as Aadhaar - appears to have gone off the rails, with reports that the software used has been compromised through use of a patch that disables a number of security features in the program used to enrol new users.

A report in the Indian edition of the Huffington Post said the patch in question was available for as little as 2500 Indian rupees (A$48.50) and could be used by anyone to generate Aadhaar numbers.

Every citizen is expected to have an Aadhaar number in order to obtain everything from a mobile phone to a bank account.

In January, when there were reports that personal details of Indian citizens were being sold cheaply online, police asked for an investigation into the newspaper that reported the story.

And a couple of months later, the semi-government organisation which manages the Aadhaar database threatened to take legal action against the American technology website ZDNet over a report that claimed a new leak had hit the national ID database.

Huffington Post reporters Rachna Khaira, Aman Sethi and Gopal Sathe wrote that, following an investigation lasting three months, they had obtained the patch themselves and had it analysed by both Indian and foreign software experts.

Those who enrol new users have to use biometric authentication themselves, but the patch allows anyone to bypass this stricture, the trio wrote.

The patch also disabled the in-built GPS checks - which identified the location of an enrolment centre - meaning that anyone located anywhere could now enrol users.

A third thing that the patch did was to lessen the sensitivity of the enrolment software's iris recognition system. This meant that one could use a photograph of an operator and deceive the software; the physical presence of the operator could be avoided.

The experts consulted by the three reporters said that the patch was compromising fundamental attributes of the enrolment software and only a rewrite from scratch would fix it.

One of the experts, Gustaf Björksten, chief technologist at Access Now, a global technology policy and advocacy group, told the Huffington Post: "There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile.

"To have any hope of securing Aadhaar, the system design would have to be radically changed."

A cyber security analyst based in Bangalore, Anand Venkatanarayanan, said the patch was put together by using code from older versions of the enrolment software to newer versions.

The reporters said they had asked the Indian authorities for comment but had not received any response from either the Unique Identification Authority of India or the National Critical Information Infrastructure Protection Centre, the latter being the entity responsible for providing security for the database.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments