The Unique Identification Authority of India (UIDAI) has usually been quick to refute most reports of Aadhaar database breaches and leaks. But at a time when a far more serious security threat is reportedly looming in the enrolment side of things, the authority tasked with issuing the unique ID number is being uncharacteristically tight-lipped.

What is the new threat?

According to a report in the Asia Times, a modified Aadhaar enrolment software, known as ECMP (Enrolment Client Multi Platform), has been compromised. It is, in fact, being illegally distributed for as little as Rs 500, going up to Rs 2,000.

ECMP is basically Aadhaar client software that was developed to allow enrolment operators to collect personal data and biometrics from applicants in order to generate the 12-digit number. It was supposed to be fully-secure, since it not only required biometrics of an authorized operator but also sought out geo-location. The latter, on paper, ensured that the sensitive data was being collected by someone authorised to do so, in a secure and mandated location.

However, the report claims that a "jailbreak" version of the software was on sale on certain WhatsApp groups among Punjab-based enrolment operators, which promised to bypass the above-mentioned biometric and geo-location safeguards. The illegal software basically came preconfigured with user credentials of various registrars. "The GPS module to track the location of the enrolment has also been disabled through a patch," an information security professional, who looked at the compromised software, told Asia Times. Worse, this version of the software could be installed on any laptop.

Why is it a concern?

The compromised ECMP software sans any safeguards would effectively allow anybody to pose as an authorised Aadhaar enrolment operator, free to enrol anyone they like, from anywhere in the world, and pass off their information as legitimate. Given that Aadhaar is being billed by the government as a tamper-proof verification for identity as well as residency, imagine what will happen if this hacked software is unleashed in areas prone to illegal migrant flows like Assam or in areas susceptible to militant intrusions like Jammu and Kashmir.

Furthermore, as the report explains, the compromised ECMP will allow any unauthorised entity to update anyone's identity and address details without any verification, bypassing all security protocols set in place by UIDAI. So the threat posed by this "jailbreak" ECMP version is actually a pan-India concern.

In March, Ajay Bhushan Pandey, CEO of UIDAI, had declared that "Each Aadhaar biometric is encrypted by a 2048-key combination and to decode it, the best and fastest computer of our era will take the age of the universe just to hack into one card's biometric details." But what about a compromised enrolment process itself, which puts a question mark on the authenticity of the Aadhaar data collected?

Does UIDAI know about this threat?

An operator from Punjab, Bharat Bhushan Gupta, reportedly informed UIDAI about the compromised software in an email, even offering help to access to the same. Just last month, a Punjab-based journalist also alerted the Aadhaar body about these developments. But while UIDAI acknowledged the warnings, the daily claims that no details of any follow-up action were forthcoming.

(With PTI inputs)