Aadhaar breaches fuelled by rogue admin accounts

Not long ago trumpeted as the world’s largest biometric database, India’s Aadhaar system covers 1.2bn citizens. Lately, though, it’s acquired a less impressive reputation – that it’s one of the easiest to breach.

In a matter of days, two sets of journalists claimed they’ve bypassed its security with worrying ease, apparently by gaining access to a layer of privileged and admin accounts that have ended up in the wrong hands.

In the most widely-reported incident, a researcher paid Rs 500 ($8) to an anonymous WhatsApp seller for credentials giving access to the name, address, phone number, postal PIN, email address and photograph of anyone in Aadhaar after entering their 12-digit UIDAI (Unique Identification Authority of India) number.

Worse, for a few dollars extra, the researcher was offered software capable of printing this out as a usable Aadhar identity card.

A day later and a second investigation reported being able to acquire access to an admin account for between Rs500 and 6,000 ($95) that conferred the Godlike ability to add new admin accounts, which in turn could create new admin accounts – and so on.

Which meant:

Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters – the Aadhaar database won’t ask.

The revelations continued this week with the Times of India reporting that despite November reports that up to 200 Indian government websites were displaying details of Aadhaar identities in public, some continued to do so weeks later.

None of this is good news for Aadhaar’s reputation of course, but the biggest worry could turn out to be the authorities’ confused response.

When confronted with the fact that admin accounts were being traded, one UIDAI regional official seemed shocked:

No third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach.

And yet, an official UIDAI statement made to news site Buzzfeed more resembled an angry denial than an admission of problems that need to be fixed:

Claims of bypassing or duping the Aadhaar enrolment system are totally unfounded. Aadhaar data is fully safe and secure and has robust, uncompromised security.

None of Aadhaar’s biometric data was compromised, the source added, while appearing to suggest that criminal charges might be filed against journalists for unauthorised access.

It’s not clear from local media reports how serious this threat is, but if it is it would be deeply counter-productive. If the system has weaknesses, one way they will be uncovered is by researchers and journalists reporting on them.

Indians don’t officially have to register with Aadhaar but can’t access government services without being part of the system. Take up has been hugely successful, reportedly enrolling 99% of Indians over the age of 18.

Not surpringly, successive governments have become heavily invested in its fate and predictably sensitive to reports of security failures which might reflect badly on them.

This is one reason why critics think massive government-backed identity databases carry huge risks. When a private company suffers a breach, in principle it can be held to account by regulators and the force of law. If the same happens to a government-administered database, blame might be temptingly easy to ignore, cover up or shift to junior levels.

It’s too early to declare Aadhaar a broken system but neither, so far, is it exactly proving the pessimists’ predictions wrong.