Aadhaar[1] data security - a hot topic since the introduction of the framework back in 2009 - is once again in the news. A three-month-long investigation claims to have uncovered a software patch that compromises the security of the data stored in Aadhaar identity database. The patch, which isn't developed formally by the Unique Identification Authority of India[2] (UIDAI[3]), allegedly allows hackers to generate unauthorised Aadhaar numbers by disabling the security features of the official Aadhaar enrolment software. It is said to come at a one-time charge of as low as Rs. 2,500 and is reportedly already used by many enrolment operators across the country. The new hack is believed to have its roots in the decision that UIDAI took back in 2010 to speed up the enrolment process by opening it for private operators. Notably, the report highlighting the fresh Aadhaar patch emerges just ahead of the launch of face recognition facility[4] by the Aadhaar-issuing body. The facility will bring face recognition in addition to iris and fingerprint scan to verify users.
HuffPost India is claiming[5] to have gained access to the patch that has been verified by multiple experts. The patch is said to let a user bypass critical security features as biometric authentication of enrolment operators and disables the enrolment software's pre-installed GPS security feature that is used to help UIDAI identify the physical location of enrolment centres. The removal of the GPS requirement would allow patch users to generate numbers from anywhere in the world. Further, the unofficial patch reportedly reduces the sensitivity of the iris-recognition system of the enrolment software, allowing a photograph of a registered operator to be used for authentication. All this makes it easier for...