Biggest information breach in the history of Pakistan

In November 2011, Mr. Umar Saif took the charge of chairman PITB (Pakistan Information Technology Board) with a vision that he bring about a digital revolution in Punjab. As a result decades old sensitive government data like Police Record, Land Record and such was digitize. It was a great achievement if it had stopped there. Without thinking through its implications, he started to make this confidential data public along with the bio data of 200 million Pakistani citizens acquired from NADRA through various APIs. Mobile apps and web portals without any proper cybersecurity control were made for govt. officials having direct access to Nadra, Teleco and PITB data. These apps and credentials to the portals got leaked over time and now in the hands of 15 year old kids who are selling it online for 200 rupees per copy. This is an alarming situation for the entire nation. All of their non-renewable data is leaked and in the hands of anti-state and criminal actors.

Objective of this Post

Identify all leaked datasources
1. Current data access state
2. Identify how widespread it is by now
3. Is it a PITB subsidiary or any other govt. body
4. Does it have Nadra data involvement
5. Does it have Teleco data involvement
6. Samples of the leaked data
Identify major leaker/dealers
1. Screenshots of the conversations made with the sellers
2. Their PII including real names, CNIC, mobile phone numbers
3. Mode of payment

Recommendations from ‘InfoSec Team’

NADRA should revoke all the APIs of PITB and any other govt or private body until they get through a comprehensive security assessment
PITB should take down all of these APIs and portals from the open internet immediately and change all IP addresses, API endpoints
PITB should hire a proper security professionals team and get a comprehensive security assessment of all of their apps and datacenter for any potential backdoors and vulnerabilities
Supreme court of Pakistan must launch an inquiry into this matter to find out the real culprit behind this massive data leak. It should be found out who was responsible for ensuring the security of these apps and APIs

Leaked Data Info

[sociallocker]

#	Leaked data sources	Features/Data items	How current?	Current state	Data format	App URL / Upload link	PITB?	NADRA?	Telco?
1	Pakistan vs World XI mobile app	Cnic info , renter info and other	Latest, 2018	Down	Mobile app with Punjab Job Portal Api	Punjab job portal	Yes	Yes	Yes
2	Agriloan portal (Farmer database)	Pic + CNIC details of any person	Latest, 2018	Down	Online portal access	http://agriloan.punjab.gov.pk/user/login	Yes	Yes	No
3	CDR data	SMS & Call record of any mobile number	Last 3 months	Working	Online portal access (TELCO CRM )	Various people have CRM access via VPN of all telcos	N/A	No	Yes
4	Teleco dump	MDB databases containing registered mobile users per telecom operator	2004-17	Still valid	VM, MS Access, SQL Databases	[See links section]	No	No	No
5	Police toolkit	Criminal History, Renters record	Latest, 2018	Down	Punjabpolice.gov.pk Mobile App	.apk being distributed on facebook and whatsapp groups	Yes	Yes	Yes
6	Person Tracker	Mobile phone tracking, Geo coordinates	N/A	Working	Pakdata.ml application	https://play.google.com/store/apps/details?id=com.database.persontracker.lite&hl=en	Yes	Yes	Yes
7	Nadra Family Tree	Full B form details including family bio data	Latest, 2018	Not sure	Images of the files	Hidden / facebook sellers have it	N/A	Yes	No

[/sociallocker]

Supporting Evidence

CNIC details extracted from World Cup app

A vulnerable Android app made by PITB for police during PAK vs World XI cricket match in Lahore, gives info on hotel check-ins and criminal record

CNIC details extracted from farmer portal (agriloan login)

Sample data extracted from the live systems of NADRA’s API exposed by PITB in one of its public portal, ‘Agriloan’

CDR data evidence

While this seems unrelated to the PITB leak incident, people have VPN access to CRM of multiple telcos

CDR (Call data records) of upto last 3 months can be purchased for RS 2000 per number

Offline database dumps of Telecom data

Archives contain different telecom databases which contains accurate bio data up to 2016

People have made desktop applications connected with these offline databases and selling them openly

Database sample of a customer PII from a telecom company leak through their APIs exposed to PITB apps

Police Toolkit leaking bio, driving license, criminal record, vehicle ownership data

Another PITB vulnerable web & mobile app for police investigation that is being abused by sharing the credentials and APK files among the police officials

Person Tracker App linked with PakData.ml/cf

Another criminal group has extracted PITB APIs and dumped the data and connected it with their apps available on the playstore

Traffic police license record & Tenant Rentee Record

PITB apps expose complete access to the traffic police driving license and citizen’s tenant record

API Map of the leaked mobile apps

Apps	Endpoint Names , IPs, APIs
Pak vs World XI mobile	● http://103.226.217.198:81/citizenverfication/api/citizen/biometricdevice [IP belongs to PITB] ● https://www.bioverisys.punjab.gov.pk/api ● http://103.226.217.198:81/citizenverfication/api/citizen/biometricdevice/citizen_profiling/cro_images [IP belongs to PITB] ● https://www.bioverisys.punjab.gov.pk/api/finger_verification ● API Key : “wordlxisa13a3c4ade82b21f9eca5a6402a0”
PoliceKIT	● https://toolkit.punjabpolice.gov.pk/api_beta_1 ● https://toolkit.punjabpolice.gov.pk/api_beta_1/citizen_profiling/cp ● https://toolkit.punjabpolice.gov.pk/api_beta_1/vehicles/searchexcise/?cnic=%s&engine_number=%s&chasis_number=%s®_number=%s&user_id=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/fir_detail/index ● https://toolkit.punjabpolice.gov.pk/api_beta_1/guarantor/index ● https://toolkit.punjabpolice.gov.pk/api_beta_1/citizen_profiling/cro_images ● https://toolkit.punjabpolice.gov.pk/api_beta_1/licence/licenseinfo/?cnic=%s&mobile_number=%s&user_id=%s&license_number=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/po/index/?cnic=%s&name=%s&father_name=%s&urf=%s&from_offset=%s&to_offset=%s&user_id=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/vehicles/searchvehicles/?engine_number=%s&chasis_number=%s®_number=%s&user_id=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/subscribers/mobiles/?cnic=%s&mobile_number=%s&user_id=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/subscribers/mobileCDR/?mobile_number=%s&email=%s&date_from=%s&date_to=%s&user_id=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/subscribers/nicDetail/?nic=%s&user_id=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/login/processLogin
Person_Tracker	● https://pakdata.ml/ ● Developer: m_hanifshah

Pak vs World XI app Requests

Sample (unprotected) API calls captured from the PITB apps shows the apps are made and hosted in PITB datacenter

Sample API call captured from the PITB app, clearly shows the data it returns without any security authentication in place

Open selling of Personal National data

Dozens of secret and public Facebook & WhatsApp groups are operating to sell all kind of secret data leaked from PITB

PITB’s publicly available sensitive portals and admin panels

[sociallocker]

[/sociallocker]PITB has made scores of such critical portals public that are likely to get exploited in the coming days due to no security controls in place

Links & References

http://agriloan.punjab.gov.pk/user/login
https://play.google.com/store/apps/details?id=com.database.persontracker.lite&hl=en
https://web.facebook.com/groups/348405338616564/
MS Access format Mobilink DB: <Redacted>
All Network DB (VM): <Redacted>
MS Access format all telco databases: <Redacted>
http://spamtools.bid/api_beta_v1/search_social.php?api_key=ae82&api_pass=90&num=
153.108.219/phone/index.php
https://web.facebook.com/groups/1064783326913644/
https://web.facebook.com/groups/686631538192520
https://web.facebook.com/groups/591400437689297
https://web.facebook.com/groups/1278169588886195

NADRA and PITB Hacked ?

NADRA and PITB may deny any claims of NADRA being hacked but when data is fed over APIs with no check and balance it is no less than being Hacked . If your confidential data is sold at $2 , it shows the lack of Cyber Security and untill they do not bring all those who sold data we can only say that NADRA was hacked.

NADRA CNIC Record

NADRA does provide official ways of checking progress of CNIC /Smart Card /NICOP etc and their system is hosted on their own official link : https://id.nadra.gov.pk/verify-id/ , which makes sense but giving out access to third parties without ensuring the credibility of their software and how secure it has been made is nothing but a hazard and needs to be re-hashed. A quick google search of ‘nadra id card search by name‘ revealed many services which were providing such services just like few shared above. Hope digital security and info privacy is ensured by all nations