How security of the Aadhaar personal data and ECMP Software is being compromised
There are WhatsApp messages circulating about a patched version of the Enrolment Client Management Platform (ECMP) software used for off-line Aadhaar enrolment, which can potentially be used to bypass geo-location and bio-metrics, and also change the mapping between personal data of Aadhaar holders and their bio-metric data.
There are also many videos (such as https://www.youtube.com/watch?
v=i3ttp72P_Ww) uploaded to YouTube since middle of last year which claim to demonstrate how using a software patch to the ECMP software, geo-location and bio-metric security protection can be bypassed. According to these claims, the following can be done:
- New Aadhaar enrolment can be made without any verification.
- That personal information pertaining to existing Aadhaar numbers can be changed, bypassing any security checks including OTPs and bio-metric verification.
If this is true, then it is a matter of very serious concern as it endangers the sanctity
of the entire Aadhaar database. We would like to know whether UIDAI authority has carried out any examination of these claims, and if there is any merit to these claims regarding the security of the Aadhaar enrolment software being compromised, questions Y Kiran Chandra,General Secretary and Prabir Purkayastha, President of Free Software Movement of India.
We would also like to bring to your notice that the PayTM account 7041704604
was mentioned in the youtube video https://www.youtube.com/embed/i3ttp72P_Ww. This account was tracked down to a certain Bharat B. who claimed to work for Computer Sciences
Corporation (CSC) e-Governance division. Since CSC was contracted by UIDAI for Aadhaar Enrolment services, could this possibly be the case of rogue insiders who have used their access to this software to create illegal patched versions and are then selling it to the grey market?
Is UIDAI aware of this, as this has been reported in the press in the last few days?
Please refer to:
What are the steps the UIDAI is taking to make the Aadhaar system safe, as the security problems seem to emanate from inherent design flaws in the Client Server architecture of Aadhaar. Also, given that it appears that solicitations to sell the patched version of software seem to have been uploaded to the net, and doing the rounds of WhatsApp from at least the last one year, what is the sanctity of information stored in the Aadhaar database? What steps is UIDAI taking to verify the validity of data already uploaded by private players to the Aadhaar database? And whether it has been corrupted by such rogue patches being sold in the blackmarket?
This is a serious issue having an imminent threat to our national security given the widespread use of Aadhaar for identification purposes. UIDAI should treat this matter with utmost seriousness.