Saumya Khandelwal / Reuters

NEW DELHI—On 10 September, HuffPost India revealed that an inexpensive, freely available, software patch had critically undermined the integrity of India's controversial Aadhaar identity database by letting unauthorised persons, based anywhere in the world, alter information stored in the database and enrol new users at will. The Unique Identification Authority of India (UIDAI), the agency responsible for Aadhaar, dismissed the story in a series of tweets. HuffPost Indianoted that the authority had not responded to the key points raised by our article. Now, analysis by Orlando Padilla, founder of NoMotion Software LLC, a specialised cybersecurity firm that has worked on network security for the Olympics, the Israeli police, aerospace and defence companies like Northrop Grumman, and the US Department of Homeland Security, reveals the hackers made 26 separate code-level changes to the enrolment software—reiterating concerns that the hack is the work of skilled and sophisticated adversaries working to a clear plan. One key additional change noted by Padilla is that the software also overrides biometric security features associated with enrolment supervisors—who are responsible for overseeing the actions of enrolment operators. (Padilla analysed the patch on HuffPost India's request, but his analysis came in a little after our publishing schedule, which is why it wasn't included in the original article.) The full list of changes is published in the latter section of this article, but to appreciate them, we urge our readers to go through the context below. In this post, HuffPost India will also address the UIDAI's comments in greater detail, and respond to questions raised by readers in messages and emails to our reporters. Aadhaar Hack Internationally reputed experts, who analysed the malicious patch, told HuffPost India three things: A malicious patch, sold on WhatsApp for as little as Rs 2,500, lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers.





The patch disables the enrolment software's in-built GPS security feature (used to identify the physical location of every enrolment centre), which means anyone anywhere in the world — say, Beijing, Karachi or Kabul — can use the software to enrol users.





The patch reduces the sensitivity of the enrolment software's iris-recognition system, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person. READ: UIDAI's Aadhaar Software Hacked, ID Database Compromised, Experts Confirm UIDAI Denial Once you sift through the ad hominem attacks and blanket assertions, the core of the UIDAI's argument lies in the following tweets:

As part of our stringent enrolment & updation process, UIDAI checks enrolment operator's biometric and other parameters before processing of the enrolment or updates and only after all checks are found to be successful, enrolment or update of resident is further processed. 12/n — Aadhaar (@UIDAI) September 11, 2018

Even in a hypothetical situation where by some manipulative attempt, essential parameters such as operator's biometrics or resident's biometrics are not captured, blurred and such a ghost enrolment/update packet is sent to UIDAI... 14/n — Aadhaar (@UIDAI) September 11, 2018

...the same is identified by the robust backend system of UIDAI, and all such enrolment packets get rejected and no Aadhaar is generated. 15/n — Aadhaar (@UIDAI) September 11, 2018 The tweets suggest that the UIDAI is banking on the paucity of public information on the enrolment process to make a series of unsupported claims about the security of its systems. To understand the nature of the hack, and why the UIDAI needs to substantiate its denials, we need to understand how the Enrolment Client Multi-Platform or (ECMP)—the software attacked by the hackers—works. ECMP Client The ECMP is, in UIDAI parlance, an "offline client", meaning the system can enrol users and update their information without an active internet connection—for instance, a rural area with poor connectivity. The software saves changes locally, on the computer on which it is installed, and then uploads the information once an internet connection is available. The ECMP's key security feature is a requirement that an authorised operator, and if needed her supervisor, biometrically "sign off" on enrolments and updates to Aadhaar information by pressing their finger onto a biometric reader. Once the operator or supervisor sign off, the ECMP creates a file, called an enrolment packet, which is then sent to UIDAI servers. The UIDAI claims that their back-end software analyses both the enrolment packet and the cluster of information attached to the packet—called meta-data. The crucial question is — what is the enrolment meta-data collected by the UIDAI? Is the meta-data a record of actions performed by the operator — for instance, a biometric sign-off from an authorised machine? OR Does the meta-data include a time-stamped image, or image template, of the operator's biometrics captured in real time? The UIDAI must provide an answer. Publicly available UIDAI documents, and interviews with experts who have examined the enrolment client, suggest the former: the meta-data is likely a record of an offline process in which the biometric sign-off of the enrolment operator is matched against her biometrics stored locally on the hard-drive of the computer doing the enrolment. How do we know this? Because the UIDAI tells us. This document, titled Installation and Configuration of Aadhaar Enrolment Client, for instance, makes clear that the process of registering an authorised enrolment operator involves downloading her biometrics onto a certified enrolment computer:

AOL An excerpt of a UIDAI training module

AOL Screenshot of a UIDAI document on configuring the ECMP client

The software patch attacks precisely this vulnerability—that biometric sign-off is an offline process that can be spoofed so that enrolment packets created by the hacked software are indistinguishable from the real thing. If the UIDAI has a way to distinguish between these packets, they must provide clear code, and process-level evidence. At this stage, it is worth noting that HuffPost India offered to send the UIDAI the patch three months prior to publishing the story. The UIDAI chose not to engage, and published a rebuttal hours after the story was published—without analysing the code. It seems the UIDAI is aware that bypassing biometric sign-offs is technically possible because another enrolment training module lays out putative fines for doing so.

AOL A screen shot of a UIDAI training module