Internet Security Blog - Hackology

PITB Leaks: NADRA Database of 200M User Hacked

Biggest information breach in the history of Pakistan

In November 2011, Mr. Umar Saif took the charge of chairman PITB (Pakistan Information Technology Board) with a vision that he bring about a digital revolution in Punjab. As a result decades old sensitive government data like Police Record, Land Record and such was digitize. It was a great achievement if it had stopped there. Without thinking through its implications, he started to make this confidential data public along with the bio data of 200 million Pakistani citizens acquired from NADRA through various APIs. Mobile apps and web portals without any proper cybersecurity control were made for govt. officials having direct access to Nadra, Teleco and PITB data. These apps and credentials to the portals got leaked over time and now in the hands of 15 year old kids who are selling it online for 200 rupees per copy. This is an alarming situation for the entire nation. All of their non-renewable data is leaked and in the hands of anti-state and criminal actors.

Objective of this Post

  1. Identify all leaked datasources
    1. Current data access state
    2. Identify how widespread it is by now
    3. Is it a PITB subsidiary or any other govt. body
    4. Does it have Nadra data involvement
    5. Does it have Teleco data involvement
    6. Samples of the leaked data
  2. Identify major leaker/dealers
    1. Screenshots of the conversations made with the sellers
    2. Their PII including real names, CNIC, mobile phone numbers
    3. Mode of payment

Recommendations from ‘InfoSec Team’

  1. NADRA should revoke all the APIs of PITB and any other govt or private body until they get through a comprehensive security assessment
  2. PITB should take down all of these APIs and portals from the open internet immediately and change all IP addresses, API endpoints
  3. PITB should hire a proper security professionals team and get a comprehensive security assessment of all of their apps and datacenter for any potential backdoors and vulnerabilities
  4. Supreme court of Pakistan must launch an inquiry into this matter to find out the real culprit behind this massive data leak. It should be found out who was responsible for ensuring the security of these apps and APIs

Leaked Data Info

[sociallocker]

# Leaked data sources Features/Data items How current? Current state Data format App URL / Upload link PITB? NADRA? Telco?
1 Pakistan vs World XI mobile app Cnic info , renter info and other Latest, 2018 Down Mobile app with Punjab Job Portal Api Punjab job portal Yes Yes Yes
2 Agriloan portal

(Farmer database)

Pic + CNIC details of any person Latest, 2018 Down Online portal access http://agriloan.punjab.gov.pk/user/login Yes Yes No
3 CDR data SMS & Call record of any mobile number Last 3 months Working Online portal access (TELCO CRM ) Various people have CRM access via VPN of all telcos N/A No Yes
4 Teleco dump MDB databases containing registered mobile users per telecom operator 2004-17 Still valid VM, MS Access, SQL Databases [See links section] No No No
5 Police toolkit Criminal History, Renters record Latest, 2018 Down Punjabpolice.gov.pk Mobile App .apk being distributed on facebook and whatsapp groups Yes Yes Yes
6 Person Tracker Mobile phone tracking, Geo coordinates N/A Working Pakdata.ml application https://play.google.com/store/apps/details?id=com.database.persontracker.lite&hl=en Yes Yes Yes
7 Nadra Family Tree Full B form details including family bio data Latest, 2018 Not sure Images of the files Hidden / facebook sellers have it N/A Yes No

[/sociallocker]

Supporting Evidence

CNIC details extracted from World Cup app

 

A vulnerable Android app made by PITB for police during PAK vs World XI cricket match in Lahore, gives info on hotel check-ins and criminal record

CNIC details extracted from farmer portal (agriloan login)

Sample data extracted from the live systems of NADRA’s API exposed by PITB in one of its public portal, ‘Agriloan’

CDR data evidence

While this seems unrelated to the PITB leak incident, people have VPN access to CRM of multiple telcos

CDR (Call data records) of upto last 3 months can be purchased for RS 2000 per number

Offline database dumps of Telecom data

Archives contain different telecom databases which contains accurate bio data up to 2016

People have made desktop applications connected with these offline databases and selling them openly

Database sample of a customer PII from a telecom company leak through their APIs exposed to PITB apps

Police Toolkit leaking bio, driving license, criminal record, vehicle ownership data

Another PITB vulnerable web & mobile app for police investigation that is being abused by sharing the credentials and APK files among the police officials

Person Tracker App linked with PakData.ml/cf

Another criminal group has extracted PITB APIs and dumped the data and connected it with their apps available on the playstore

Traffic police license record & Tenant Rentee Record

PITB apps expose complete access to the traffic police driving license and citizen’s tenant record

API Map of the leaked mobile apps

Apps Endpoint Names , IPs, APIs
Pak vs World XI mobile ● http://103.226.217.198:81/citizenverfication/api/citizen/biometricdevice [IP belongs to PITB]

● https://www.bioverisys.punjab.gov.pk/api

● http://103.226.217.198:81/citizenverfication/api/citizen/biometricdevice/citizen_profiling/cro_images [IP belongs to PITB]

https://www.bioverisys.punjab.gov.pk/api/finger_verification

API Key : “wordlxisa13a3c4ade82b21f9eca5a6402a0”

PoliceKIT https://toolkit.punjabpolice.gov.pk/api_beta_1

● https://toolkit.punjabpolice.gov.pk/api_beta_1/citizen_profiling/cp

● https://toolkit.punjabpolice.gov.pk/api_beta_1/vehicles/searchexcise/?cnic=%s&engine_number=%s&chasis_number=%s®_number=%s&user_id=%s&version_no=%s

● https://toolkit.punjabpolice.gov.pk/api_beta_1/fir_detail/index

● https://toolkit.punjabpolice.gov.pk/api_beta_1/guarantor/index

● https://toolkit.punjabpolice.gov.pk/api_beta_1/citizen_profiling/cro_images

● https://toolkit.punjabpolice.gov.pk/api_beta_1/licence/licenseinfo/?cnic=%s&mobile_number=%s&user_id=%s&license_number=%s&version_no=%s

● https://toolkit.punjabpolice.gov.pk/api_beta_1/po/index/?cnic=%s&name=%s&father_name=%s&urf=%s&from_offset=%s&to_offset=%s&user_id=%s&version_no=%s

● https://toolkit.punjabpolice.gov.pk/api_beta_1/vehicles/searchvehicles/?engine_number=%s&chasis_number=%s®_number=%s&user_id=%s&version_no=%s

● https://toolkit.punjabpolice.gov.pk/api_beta_1/subscribers/mobiles/?cnic=%s&mobile_number=%s&user_id=%s&version_no=%s

● https://toolkit.punjabpolice.gov.pk/api_beta_1/subscribers/mobileCDR/?mobile_number=%s&email=%s&date_from=%s&date_to=%s&user_id=%s&version_no=%s

● https://toolkit.punjabpolice.gov.pk/api_beta_1/subscribers/nicDetail/?nic=%s&user_id=%s&version_no=%s

● https://toolkit.punjabpolice.gov.pk/api_beta_1/login/processLogin

Person_Tracker https://pakdata.ml/

Developer: m_hanifshah

Pak vs World XI app Requests

Sample (unprotected) API calls captured from the PITB apps shows the apps are made and hosted in PITB datacenter

Sample (unprotected) API calls captured from the PITB apps shows the apps are made and hosted in PITB datacenter

Sample API call captured from the PITB app, clearly shows the data it returns without any security authentication in place

Open selling of Personal National data

Dozens of secret and public Facebook & WhatsApp groups are operating to sell all kind of secret data leaked from PITB

PITB’s publicly available sensitive portals and admin panels

[sociallocker]

  1. https://hoteleye.punjab.gov.pk/
  2. http://mspc.punjab.gov.pk/
  3. http://eproc.punjab.gov.pk/
  4. http://mis.ppra.punjab.gov.pk/login/
  5. http://services.punjab.gov.pk/_login/
  6. http://roster.punjab.gov.pk/
  7. https://policereport.punjab.gov.pk/
  8. http://dashboard.tracking.punjab.gov.pk/
  9. http://sms.punjab.gov.pk/
  10. http://mis.hed.punjab.gov.pk/
  11. http://tracking.dgip.gov.pk/
  12. http://fars.pitb.gov.pk/admin/
  13. http://mail.e.pra.punjab.gov.pk/Mondo/lang/sys/login.aspx
  14. https://cims.punjab.gov.pk/dashboard/login
  15. http://crolahore.punjabpolice.gov.pk/
  16. http://crolahore.punjabpolice.gov.pk/login/process_login
  17. https://ctdfir.punjab.gov.pk/
  18. http://202.83.173.90/FIR/login
  19. https://www.pitb.gov.pk/hotel_eye
  20. https://www.pitb.gov.pk/iasb
  21. https://www.pitb.gov.pk/sis
  22. http://fc.punjab.gov.pk/services/
  23. https://es.punjab.gov.pk/eStampCitizenPortal/ChallanFormView/VerifyStamp
  24. http://ureport.punjab.gov.pk/
  25. https://fir.punjabpolice.gov.pk/login

[/sociallocker]PITB has made scores of such critical portals public that are likely to get exploited in the coming days due to no security controls in place

Links & References

NADRA and PITB Hacked ?

NADRA and PITB may deny any claims of NADRA being hacked but when data is fed over APIs with no check and balance it is no less than being Hacked . If your confidential data is sold at $2 , it shows the lack of Cyber Security and untill they do not bring all those who sold data we can only say that NADRA was hacked.

NADRA CNIC Record

NADRA does provide official ways of checking progress of CNIC /Smart Card /NICOP etc and their system is hosted on their own official link : https://id.nadra.gov.pk/verify-id/ , which makes sense but giving out access to third parties without ensuring the credibility of their software and how secure it has been made is nothing but a hazard and needs to be re-hashed. A quick google search of ‘nadra id card search by name‘ revealed many services which were providing such services just like few shared above. Hope digital security and info privacy is ensured by all nations

9 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Utopia p2p Ecosystem

Discover more from Internet Security Blog - Hackology

Subscribe now to keep reading and get access to the full archive.

Continue reading