The Unique Identification Authority of India (UIDAI) had to answer a few questions after a report claimed to have found a new security flaw in the Aadhaar identity database. However, UIDAI stated that such reports are "completely incorrect and irresponsible".
A recent report mentioned that biometrics and personal information of over 1 billion Indians, was compromised by a software patch that disables critical security features of the software used to enroll new Aadhaar users. This patch was freely available for as little as Rs 2,500.
The software was compromised on three levels. Firstly, the patch allowed a user to bypass critical security features such as biometric authentication of enrolment operators to generate unauthorized Aadhaar numbers.
Secondly, the patch disabled the enrolment software's in-built GPS security feature. This is used to identify the location of an enrolment centre. This implies that the hack allows anyone in the world to use the software, to enroll users.
Lastly, the patch reduces the sensitivity of the enrolment software's iris-recognition system. With this trick, an unknown person can fool the software with a photograph of a registered operator, rather than requiring the operator to be present in person.
It is believed that the hack goes back to 2010. That year, private agencies were allowed to enroll users to the Aadhaar system in order to speed up enrolments. The contract was won by a Bengaluru-based company Mindtree which developed a software called the Enrolment Client Multi-Platform. This platform was later installed on thousands of computers maintained by these private operators.
The end result? Over 180 million Indians were enrolled onto this platform by February this year. Security expert Björksten believed that due to these “common service centres”, critical components of Aadhaar fell in the hands of the enemies of the system.
UIDAI responded to this report and stated that these claims are false. It said, “UIDAI hereby dismisses a news report appearing in social and online media about Aadhaar Enrolment Software being allegedly hacked as completely incorrect and irresponsible. The claims lack substance and are baseless. UIDAI further said that certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted.”
It also added, “Full measures are taken to ensure end-to-end security of resident data, spanning from full encryption of resident data at the time of capture, tamper resistance, physical security, access control, network security, stringent audit mechanism. 24x7 security and fraud management system monitoring, and measures such as data partitioning and data encryption within UIDAI controlled data centres.”
The news of the Aadhaar patch emerges just a few days before the launch of the face recognition facility in the country. The news of the Aadhaar patch emerges just a few days before the launch of the face recognition facility in the country.
UIDAI has proposed a two-factor authentication for use of face recognition by telcos, where an individual provides an Aadhaar number, the authentication will be done using fingerprint or iris and face. For individuals providing Virtual ID, the authentication can be on basis of fingerprint or iris. UIDAI said in case where an individual is unable to authenticate fingerprint or iris, face authentication can be used as an additional mode, to make the system more inclusive.
from Daily News & Analysis https://ift.tt/2N4KS5K
No comments:
Post a Comment