Compromised copies of a computer program used to enroll more than a billion Indians into Aadhaar, the country’s controversial biometric ID program, are being sold to anyone who wants them for $30 or less, according to a new report from Asia Times on Tuesday.
The program was used by private contractors to scan in and upload personal details including names, addresses, dates of birth, mobile numbers, fingerprints, and irises of Indians to a centralized, government-owned database, as long as the contractors authenticated themselves first.
The compromised version reportedly bypasses this requirement, letting anyone with access to the program add new entries to the Aadhaar database or modify their own existing entry with no checks. It also bypasses a mandatory GPS check, used to ensure that new signups are done at secure, officially mandated locations.
The Unique Identification Authority of India, the agency in charge of the Aadhaar program, did not immediately respond to BuzzFeed News’ request for comment.
The Aadhaar national ID program, which was initially pitched as a voluntary identity system that would help the government crack down on fraud in the country’s corrupt welfare system, has been called out by critics for its ability to turn the country into a surveillance state and violate the privacy of India’s 1.3 billion citizens.
The program is currently being challenged in India’s Supreme Court, but that hasn’t stopped the government from coercing people to sign up by linking it to essential services such as food subsidies, bank accounts, health insurance, and cellphone numbers.
Allowing anybody with access to compromised software to create new entries in the Aadhaar database with no authentication has major national security implications, critics warn.
“The entries in the Aadhaar database are considered so trustworthy that they are used to open bank accounts, get new cellphone connections, and even new passports,” Anand V, a security researcher and a critic of the Aadhaar program, told BuzzFeed News.
“If anyone can add entries to the database or modify existing entries that belong to them through bypassing the mandatory security checks required to do this, it strikes right at the heart of the Aadhaar program, which is based around identity.”
This isn’t the first time that vulnerabilities in the Aadhaar program have been discovered. In January, the Tribune, a local Indian newspaper, was able to exploit a breach to access the private data of nearly 1.2 billion Indians from the database for just $8. And in March, a ZDNet report showed that a data leak on a system run by a state-owned utility company in India allowed anyone to download private information of every Aadhaar holder in India including their names, bank details, and cellphone numbers.