You should be worried about #NADRAGate, here’s why

Background

There have been multiple reports leaked from various credible sources about NSA & GCHQ hacking into Pakistan’s critical infrastructure. One of the first reports that was made public was in June 2015 published by Intercept which highlighted GCHQ’s infiltrating PTCL’s Core Routers and hence allowing them not only intercept every single user’s traffic but it also had abilities to re-route the traffic to their passive collection systems.

This report was followed up by another roughly one year back, which pointed out that NSA had gained access to Pakistan’s National Telecommunications Corporation (NTC) using Malware known as “SECOND DATE

Part of this was confirmed in October 2016, when a group known as “Shadow Brokers” leaked list of hosts that were compromised as a part of NSA’s operation, The leaks also reveal a step by step guide on how NSA compromised Mobilink’s network including the CDR Servers (Call Data Records) in 2006. 

From the evidence obtained, it is very clear that NSA & GHCQ both had significant amount of interest in hijacking Pakistan’s critical infrastructure. As per an article published by TheNews in 2011, it was made evident that NADRA decided to outsource work to International Identity Services LIMITED. It was also reported by Tariq Lodhi, General Manager, NADRA that the project to outsource NADRA to IIS was under way since June 2009. As per the evidence the company was also registered in the very same year which raises the question that why did NADRA decide to outsource work to IIS when the company was created in the same year and had no track record of doing such a job.

Our analysis

As per various leaks, from NSA contractor Edward Snowden revealed a couple of NSA’s deadliest cyber weapons, most notable being the Quantum-Insert attacks in order to carry out targeted attacks. The hijacking of Pakistan’s ISP provides a great aid in Quantum-Insert attacks. As per one of the leaked documents confirmed this attack was being utilized in order to infect a target located in Miran Shah FATA.

 

Introduction & Analysis

In a recently leaked cable by WikiLeaks, it was highlighted that in 2009, then Prime Minister Yousaf Raza Gilani along with then Interior Minister Rehman Malik went to the US Embassy in Islamabad and ‘offered’ access to NADRA’s database. It was later revealed that this was accomplished by setting up a cover company known as “International Identity Service Limited” based in UK. It was done because its easier to conduct attacks being an insider and it also was designed to provide protection to Yousaf Raza Gilani and his aides who were involved in this operation.As per the data we gathered from a deep search, it is revealed that the company was incorporated on 9 July 2009 and had a registered office address, which comes in harmony with the dates when Prime Minister and Interior Minister visited the US Embassy. The registered office address of the company as the records “Owg, 2nd Floor, 94 New Walk, Leicester, LE1 7EA”. The company was dissolved on November 18 2014.

There is couple of information that can be found about company’s staff:

We actually dug deeper into Simon Robert Brodie, one of the directors of the company and found the following work history:

It can be safely assumed that the role of consultant company would not only be limited to ex-filtrating data from Nadra’s database, but they would also have planted backdoors into the systems, so that they would have the updated copy of the database

It also be safely assumed that NSA/GCHQ’s penetration into Nadra’s database would not be READ-ONLY, however they would have done their best to gain highest privileges in order to INSERT, UPDATE and DELETE records.

Implications

NADRA is currently the most critical database holding public record, It contains everything from your CNIC, Family tree, Driving License, Passport , Biometric data to DNA record and voters record. NADRA’s database values are utilized to perform identity verification while registering a SIM or opening a bank account, NADRA utilizes web-service which only exposes subset of a data that is required for verifying an identity.

For instance, in order to register a SIM, the devices used by telecom operators take the fingerprint, convert it into Nadra’s acceptable format and send the request to Nadra’s web service, if the fingerprint is accepted, the SIM is issued.

In this case, however, it is clear from the leaks that the entire database was subject to theft. This can lead to serious implications and consequences:

  • Biometrics is technically described as Type-3 Authentication (Something that you are) which is based upon physical characteristic of a person. Currently, fingerprints are the most commonly used form of biometric authentication. In cases, where fingerprints are stolen, it effectively means that any form of authentication, where your fingerprints are utilized, can be compromised as they already in their possession.
  • The worst part is that, in case your passwords get compromised, it’s very easy for you to change the passwords and control the damage. If your fingerprints are compromised, there is nothing much you can do about it.
  • Your stolen fingerprints can easily be used in order to issue a SIM on your behalf, without your knowledge, which then can be used to impersonate you and commit crimes.
  • Stolen data from NADRA can be utilized to conduct social engineering attacks against an individual.
  • Those who come from our western border, Chaman, also require a biometric verification. Assuming that NSA has WRITE access to NADRA’s database, they can add a new record to the database. This can allow someone to effectively cross Chaman border by impersonating an identity and the biometric verification will happily accept it.

Privacy & Why This Matters?

A very common argument that I keep hearing is “I am not a criminal, I have nothing to hide, why should i have afraid of?” Even if you have nothing to hide and you are not a criminal, your online identity can be hacked and you can turn into a criminal. Assume, if your Facebook account gets hacked and your status is flooded with messages sponsoring and supporting terrorism, it will be extremely difficult for you to repudiate and it requires a complete forensic investigation in order to prove that you are not guilty. The case of Mashal Khan is evident, where his identity was impersonated and a narrative was build that he has committed blasphemy.

Privacy is not only our democratic right, however it is considered as a fundamental Human right in 1948 United Nations Universal Declaration of human rights.

Recommendations

In the light of above events, we give the following recommendations to the government:

  • Principally, no access to NADRA’s should not be given to anyone and even if a certain portion of database is exposed via web service, it should be limited and should follow the “principle of least”.
  • Under present circumstances, we strongly discourage electronic voting until the government, election commission and intelligence services have taken adequate security measures.
  • Government should take the privacy of their citizens seriously. The regulatory branch should impose penalties on any form of private data leaked, as a result of breach. In event of any breach and incident, the senior management should be held accountable if proper due care and due diligence is not carried by them.
  • Under present circumstances, it is strongly recommended to setup a state owned “Cyber Security Unit“. The Cyber Security Unit’s primary responsibility would be protecting the confidentiality, integrity and availability of critical internet infrastructure. The Cyber Security Unit would also be responsible for providing security advisory to all the critical sectors empowering country’s economy and hosting user’s critical data.
Rafay Baloch
Follow Me:

Rafay Baloch

Contributing Analyst at CommandEleven
Rafay Baloch is a prominent cybersecurity researcher from Pakistan. His work has been noted by Forbes, BBC, Wall Street Journal and Black Hat Asia.
Rafay Baloch
Follow Me:

Latest posts by Rafay Baloch (see all)