STORY: Simple Hack Turns India's Massive Biometric Database Into a Profitable Counterfeit system, by reporter Dell Cameron, published by The Huffington Post on September 11, 2018.
GIST: India's
controversial biometric database, Aadhaar, has been once again
compromised, according to a three-month investigation launched by
HuffPost India. In a report published Tuesday,
HuffPost revealed the existence of a malicious patch said to disable
critical security features, making it easier not only to create
unauthorized Aadhaar numbers but to fool the system's biometric
recognition systems from virtually anywhere in the world. The
purpose of the patch, which is reportedly in widespread use and easily
obtained for roughly Rs 2,500 (around $35), is not to grant access to
information in the database; rather, it allows unauthorized users to
introduce information to it—i.e., create identities, potentially with
fraudulent biometric data. The
Aadhaar system, launched in 2009, is the largest biometric program of
its kind in the world, with more than 1 billion Indian residents
enrolled. The 12-digit codes are assigned by the Unique Identification
Authority of India (UIDAI) and links data from fingerprints and iris
scans as a means to confirm the identities of anyone who works or
resides in the country, including non-citizens. The
government's intent was to create digital identities as a way to ensure
access to welfare, health, and education programs. The country hosts
one of the largest populations of internal migrant workers, many of whom
often carry no identification, making it difficult to prove who they
are when traveling state to state. The
Aadhaar system has been widely criticized for its lack of regulatory
framework. The identities of hundreds of millions of people were
imperiled last year alone due to leaks of biometric data. In January, a group of journalists reported paying the equivalent of $8 to gain full administrative access to the database. HuffPost
India reports having acquired access to a patch that essentially
reverts portions of the Aadhaar code using previous, less secure
versions of the software. In one example of how security is downgraded
by the patch, experts discovered code created to reduce the fail-rate
for iris recognition, allowing the system to be fooled by a
high-resolution photograph. Installing
the patch, which is apparently widely in use at enrollment centers, is
said to be relatively simple. HuffPost reports:
Using the patch is as simple as installing the enrolment software on a PC, and replacing a folder of Java libraries using the standard Control C, Control V cut-paste commands familiar to any computer user.Once the patch is installed, enrolment operators no longer need to provide their fingerprint to use the enrolment software, the GPS is disabled, and the sensitivity of the iris scanner is reduced. This means that a single operator can log into multiple machines at the same time, reducing the cost per enrolment, and increasing their profits.
Moreover,
a single person using the patch would be able to create multiple
entries in the Aadhaar database, reportedly allowing them, as one expert
told HuffPost, to "siphon off rations of multiple people." After
having their findings confirmed by multiple international and Indian
experts, the reporters delivered their findings to the NCIIPC, or
National Critical Information Infrastructure Protection Centre, the
principal Indian government agency responsible for protecting the
nation's critical information infrastructure. Neither
the UIDAI nor the NCIIPC could be immediately reached for comment.
HuffPost India reports Indian authorities were not responsive to
inquiries."
The entire story can be read at:
https://gizmodo.com/simple-hack-turns-indias-massive-biometric-database-int-1828972521
PUBLISHER'S NOTE: I am monitoring this case/issue. Keep your eye on the Charles Smith Blog for reports on developments. The Toronto Star, my previous employer for more than twenty incredible years, has put considerable effort into exposing the harm caused by Dr. Charles Smith and his protectors - and into pushing for reform of Ontario's forensic pediatric pathology system. The Star has a "topic" section which focuses on recent stories related to Dr. Charles Smith. It can be found at: http://www.thestar.com/topic/
---------------------------------------------------------------------
