Aadhaar — A Self Certified ID

Public availability of cracked Enrollment software makes Aadhaar information equivalent to a Self Certified ID

The biggest question that the Asia Times news story raises about the compromised enrollment software is — Why UIDAI cannot fix it? This post answers this question and the implication of this compromise.

India's ambitious digital ID project faces new security nightmare

The Offline Problem

The Enrollment Client Multi-Platform (ECMP) software is a JAVA client software available for public download and installation. Instead of a fully online model (Like a Software as a Service hosted only on uidai.gov.in), the client model was chosen because of the lack of reliable internet connectivity in most parts of rural india.

The ECMP software can be used to enroll people in a remote location without the need for internet connectivity. It generates enrollment packets, which are then uploaded to the CIDR for De-duplication. Until that happens, the enrollment packets are stored in the laptop in which the enrollment software is installed.

This design, which optimizes for enrollment, however is a security loophole that has been exploited differently for quite a while and the Asia Times story, above, is only a logical progression of a trend.

Can a client be truly tamper proof?

The steps required to convert any laptop connected with hardware kits the into a fully functional authorized enrollment station are listed below:

1. Publicly available registrar code and enrollment agency code (Page 7, Prerequisites)
2. Importing publicly available Master data, Registrar data, User credentials and Name dictionaries (Page 34–36, Database Management) for various registrars (Samar Infotech, AISect Ltd.)
3. Registering the enrollment station (Page 39, Client Identity and UIDAI FAQ Question #10).
4. Mandatory registration of both operators and supervisors through their bio-metric identifiers (Step 9, Page 17, Setting up an enrollment center)

Step 4 will only succeed if their Aadhaar ID is associated with the enrollment agency and if their bio-metrics matches with the one stored in the CIDR.

So in effect, the only thing that stands between a valid enrollment station and an illegal one, is the bio-metrics of the operator/supervisor.

The first set of attempts to hijack the ECMP software hence were based on forging the fingerprints via artificial molds (Source).

While these are primitive, a better form of exploit emerged over time. The cracking of the enrollment software itself.

Thick Clients are reversable and patchable.

Analyzing the ECMP software is quite simple and can be accomplished by the following steps:

1. Download the Official software from any of the public locations (AISECT).
2. Install it on any windows laptop.
3. Reverse the Java libraries present in C:\UID Authority of India\Aadhaar Enrolment Client\lib\in.gov.uidai.*.jar, using standard tools like Java Disassembler.

A few things stand out

• There is no obfuscation. (Face Palm #1)
• There is code to detect tampering of the software, but the programming in that module is quite poor, and can be tampered/bypassed very easily.
• All security checks are concentrated in one single module, which also ships with instructions on how to rebuild that module, thus making it very patch friendly. (Multiple repeated face palms)

It is a well known axiom in software engineering that in a client — server architecture, the client can never be trusted to be tamper-proof. However the above defects makes it very easy to tamper the enrollment software and create multiple versions, which patch and bypass various security checks.

Chronology of Security checks and their exploits

• 2009 — The first few versions of ECMP Software did not even encrypt enrollment packets nor did it have GPS for tracking the enrollment locations. (Source)
• 2012 — The software shipped with GPS modules and introduced encryption of data packets for the first time with 1024 bit RSA Keys. (Version 2.2).
• April 2012 — The ILF&S scam happened because the enrollment software allowed anyone to use their own fingerprint to become an Aadhaar operator using a vulnerability (Source).

The system has a flaw. When an agent provides wrong authorisation fingerprint, it rejects on two occasions, but at the third instance it automatically takes the default authorisation print and completes the enrollment process,

• Feb, 8 2016 — First sightings of unauthorized Aadhaar enrollment centers, possibly using a cracked ECMP software (Source)
• May 2016 — Version 3.2.0.0 shipped with IRIS authentication for the operators, since artificial fingerprints have become mainstream.
• May 2017 — UIDAI releases Version 3.3.3.0 which contains code to detect tampering of the enrollment software.
• August 2017 — UP Aadhaar hack case, which reported that IRIS authentication has been bypassed. (See FIR copies here).
• Feb 2018 — IRIS authentication still remains bypassed, GPS has been bypassed, but Artificial fingerprints are in use (Chandigarh FIR)
• April 2018 — GPS and Fingerprint checks bypassed (Asia Times story)

Conclusion

The implication of the above is quite clear — The quality of demographic data in the Aadhaar database (CIDR) is whatever the enrollment operators want them to be and residents can directly influence the operators, by paying them a bribe.

The only defense had always been bio-metric de-duplication, but as the UP Aadhaar case indicated, bio-metrics can be injected by operators.

Finally, we are where we started. Those who want multiple Aadhaar numbers, can always get it and those who don’t want will be content with their only Aadhaar number. Further, even if one has only one Aadhaar number, the demographic information can be whatever one want them to be.

In short — Aadhaar is world’s largest self-certified ID and is only as trustworthy as the individual’s social status and trust-worthiness and it took billions of dollars of tax-payer money for the UIDAI to recognize it.