UIDAI cites experts to say its database can’t be hacked


New Delhi: Amidst the controversy over the possibility of the alleged hacking of the Aadhaar database through a patch, the Unique Identification Authority of India (UIDAI) has now cited experts working closely with it to claim its database is not vulnerable in any way.

Professor Rajat Moona, Director IIT Bhilai and member of the Security Review Committee of UIDAI says the claims of hacking made in a media report are “ill-informed” and claimed that experts quoted in the report had given their opinion based on “incomplete information”.

“It is prudent to know how Aadhaar system works. Several service providers (or Aadhaar enrollment centres) take requests from various Aadhaar holders on behalf of UIDAI for legitimate changes. These requests are validated by the operator by putting his/her signature and then sent to UIDAI for its action. Along with the requests, the identity establishment parameters (like biometric or OTP etc.) for the requestor are also carried. The server would and also should not take and honour the request only on the basis of the operator only. Further, in order to ensure that unnecessary request traffic is not built up and any errors are conveyed with preliminary checks to the requestor even before sending it to UIDAI, the programs for the enrollment centres will need to build such quick and preliminary checks,” Moona says.

He added that it being wrongly assumed that such preliminary checks are the only checks and therefore if such checks are bypassed, the system is hacked or if such a request is conveyed to UIDAI, the system is hacked. “Clearly it failed to recognize that the real checks are to be performed by the UIDAI servers before the requests are acted upon by UIDAI. Merely acceptance of the requests or the preliminary checks do not suffice to act upon the requests at the end of UIDAI,” Moona says.

He said one may assume the case of an organization that prints out and pastes a notice on the wall to declare a day as a holiday. “Someone walks in and scrabbles something on the notice and makes the days appear as two. Will it mean that the someone has been able to successfully modify the company policy or rather ‘hack’ the company confidential papers. Or for that matter, one company person takes this ‘hacked’ paper inside the company premises to show to the HR personal and to question its authenticity. Does it mean that the company is now compromised?” Moona adds.

Professor Jaideep Srivastava, who advises UIDAI on security and tech matters, and is a Ph.D. in Electrical Engineering and Computer Science from the University of California – Berkeley, said as per his understanding, ability to register a person for Aadhaar from anywhere in the world is currently not permitted under Aadhaar system because it has many checks such as GPS, operators biometrics etc which prevent enrollment from outside India. “Even if, say, some hacking patch is able to bypass or manipulate some of the front end checks, because these checks along with many more ones are also done again at the backend by UIDAI, such fraudulent attempts from abroad can be easily thwarted. Therefore to say that such unauthorized patch can disarm the Aadhaar security is completely incorrect,” Srivastava says.

He also said that each Aadhaar requires a distinct physical body as that is what biometric based ID system is all about. “So, someone can create multiple names, fake addresses, etc., and even give them legitimacy via legal processes like registration. But, how does one go about creating multiple physical bodies? Unless one imagines some James Bond or Sci-Fi movie, this is well-nigh impossible, and even if theoretically possible, it is not something which we expect to be available on the ground,” Srivastava says.

Source: Economic Times