Read UIDAI and Cross Match’s reply to this story and our response to them here Foreign Firms Given Access To Your Unencrypted Aadhaar Data. Our international readers can read this story in French here and in Turkish here.


Today WikiLeaks published secret documents from the ExpressLane project of the CIA. These documents show one of the cyber operations the CIA conducts against liaison services — which includes among many others the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

The OTS (Office of Technical Services), a branch within the CIA, has a biometric collection system that is provided to liaison services around the world — with the expectation for sharing of the biometric takes collected on the systems. But this ‘voluntary sharing’ obviously does not work or is considered insufficient by the CIA, because ExpressLane is a covert information collection tool that is used by the CIA to secretly exfiltrate data collections from such systems provided to liaison services.

ExpressLane is installed and run with the cover of upgrading the biometric software by OTS agents that visit the liaison sites. Liaison officers overseeing this procedure will remain unsuspicious, as the data exfiltration disguises behind a Windows installation splash screen.

The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan.

Cross Match certified by UIDAI

Cross Match was one of the first suppliers of biometric devices certified by UIDAI for Aadhaar program. The company received the Certificate of Approval from the Indian Government in 2011. Cross Match received the Certificate of Approval for its Guardian fingerprint capture device and the I SCAN dual iris capture device on October 7, 2011. Both systems utilize Cross Match’s patented Auto Capture feature, which quickly captures high-quality images with minimal operator involvement.

The biometric devices (enrolment) from Cross Match have been granted the Certificate of Approval by UIDAI and STQC Directorate, Department of Information Technology, New Delhi

The Certificate of Approval, was issued after completion of all tests required to demonstrate compliance with the quality requirements of UIDAI. The certification body consists of the Standardization, Testing and Quality Certification (STQC) Directorate for the Government of India’s Department of Information Technology (DIT) and the UIDAI. The tests performed by the STQC included the following criteria: Physical & Dimensional, Image Quality, Environmental (Durability/Climatic), Safety, EMI/EMC, Security, Functional, Performance, Interoperability, Ease of Use & Ergonomics.


Majority of the UIDAI certified enrollment agencies use Cross Match devices across India. Cross Match was also the first company to receive the Provisional Certificate for use in the UID program in September, 2010. Video featuring the Cross Match Guardian and I SCAN devices has been taken down from the official UIDAI website.

Francisco Partners

In 2012, Francisco Partners acquired Cross Match Technologies Inc. The company has more than 5,000 customers worldwide and over 250,000 products deployed in over 80 countries. Cross Match’s customers include the U.S. Department of Defense, Department of Homeland Security, U.S. State Department and various state and local governments; as well as numerous foreign governments and law enforcement agencies. It also provides biometric solutions to customers in transportation, critical infrastructure, financial services, education, and healthcare sectors.

Subscribe to our quarterly geopolitical magazine GreatGameIndia. Click image to subscribe.

One of Francisco Partners portfolio company is an Israeli cyber weapons dealer called NSO Group. The company’s Pegasus iOS malware was linked to attacks on iPhones of a prominent UAE activist and a Mexican journalist.

Researchers from the University of Toronto’s Citizen Lab and mobile security firm Lookout raised questions about the ethics of NSO Group, a government spyware provider founded by an alum of Israel’s vaunted intelligence agencies. Francisco Partners bought its stake in the company for $120 million in 2014. Citizen Lab uncovered NSO’s Pegasus malware targeting iPhones of a Mexican journalist and a UAE activist. The same day, FORBES reported that Francisco Partners added Circles to its roster of investments, another Israeli-founded surveillance firm, which sold contentious gear to hack a part of global telecoms networks, known as SS7. That cost the private equity firm $130 million, a source close to the deal told FORBES.

Spying governments, activists & journalists

Francisco Partners also ran Turkey’s spy operations by selling its deep packet inspection product for surveillance. Deep packet inspection enables surveillance at the outset. Its very purpose is to open up “packets” of data flying across networks and inspect them to check if they should pass. DPI has made headlines for controversial use cases. China, for instance, likes to use DPI in its infamous censorship and surveillance systems. Sunnyvale, California-based Blue Coat Systems, in which Francisco Partners was a significant investor, saw its DPI technology censoring the internet in Syria in 2011, just as the civil war was erupting. Human rights activists looked on agog, but Blue Coat later said resellers were to blame and that it had not given permission for the technology to be shipped to the country. One reseller was later slapped with a maximum fine of $2.8 million by the Bureau of Industry and Security (BIS). (Francisco Partners also has stakes in Barracuda Networks and Dell Software, which both ship DPI products).

Aadhaar’s biometric pioneer

The foundation of the Aadhaar program is based on biometric and demographic data that is unique to each citizen. This data can only be collected by leveraging biometric devices and compatible software – the second and third stages of the Aadhaar value chain.

Cross Match’s Indian partner for the UID program is Smart Identity Devices Pvt. Ltd. (Smart ID). Smart Identity Devices, or Smart ID, has been the biometric pioneer and leader for the Aadhaar program. Smart ID provides biometric technology, smart card, and information and communication technology products and services for numerous sectors, such as financial services, logistics, government, and IT security. Launching commercial operations in 2008, Smart ID is based in Noida, India and is led by Sanjeev Mathur. The company’s devices are being used by enrollment agencies across India for the Aadhaar program.

According to a recent study by Research and Markets, India’s biometrics market is forecast to hit about $2 billion by 2018.

Smart ID’s products and services range from biometric products, to mobile application solutions, to services such as Aadhaar enrollment, training, project management, IT hosting, and business correspondent management. As of 2014, Smart ID was able to carry out enrollment activities across India in states such as, Jharkhand, Tamil Nadu, Orissa, Uttar Pradesh, West Bangal, and Madhya Pradesh. Smart ID has already enrolled more than 1.2 million citizens into the Aadhaar program through its enrollment agencies.

In July 2011, the UIDAI recognized Smart ID as being one of the three best enrollment agencies in Aadhaar for enrolling more than 25 million citizens in a very short time frame. Cross Match’s own presentation prepared for UID study claims more than 620 million enrollments. These CIA bugged Cross Match Aadhar Uid Kit is also available on the open market. Even you can buy it for Rs 63,999 a pair.

The price of a Smart ID Patrol ID fingerprint scanner was approximately $2300 in 2014. And these devices were installed across the country. It would be interesting to know how much did the Indian government pay this CIA front company for the exercise. Lets say UIDAI installed 10,000 such bugged CIA devices across the country for enrollment (which is a very conservative estimate), the staggering cost would be 1473554800 Rs.

How CIA agents can access Aadhaar database in real-time

A number of the CIA’s electronic attack methods are designed for physical proximity. These attack methods are able to penetrate high security networks that are disconnected from the internet, such as police record database. In these cases, a CIA officer, agent or allied intelligence officer acting under instructions, physically infiltrates the targeted workplace. The attacker is provided with a USB containing malware developed for the CIA for this purpose, which is inserted into the targeted computer. The attacker then infects and exfiltrates data to removable media. For example, the CIA attack system Fine Dining, provides 24 decoy applications for CIA spies to use. To witnesses, the spy appears to be running a program showing videos (e.g VLC), presenting slides (Prezi), playing a computer game (Breakout2, 2048) or even running a fake virus scanner (Kaspersky, McAfee, Sophos). But while the decoy application is on the screen, the underlaying system is automatically infected and ransacked.

Fine Dining comes with a standardized questionnaire i.e menu that CIA case officers fill out. The questionnaire is used by the agency’s OSB (Operational Support Branch) to transform the requests of case officers into technical requirements for hacking attacks (typically “exfiltrating” information from computer systems) for specific operations. The questionnaire allows the OSB to identify how to adapt existing tools for the operation, and communicate this to CIA malware configuration staff. The OSB functions as the interface between CIA operational staff and the relevant technical support staff.

Among the list of possible targets of the collection are ‘Asset’, ‘Liason Asset’, ‘System Administrator’, ‘Foreign Information Operations’, ‘Foreign Intelligence Agencies’ and ‘Foreign Government Entities’. Notably absent is any reference to extremists or transnational criminals. The ‘Case Officer’ is also asked to specify the environment of the target like the type of computer, operating system used, Internet connectivity and installed anti-virus utilities (PSPs) as well as a list of file types to be exfiltrated like Office documents, audio, video, images or custom file types. The ‘menu’ also asks for information if recurring access to the target is possible and how long unobserved access to the computer can be maintained. This information is used by the CIA’s ‘JQJIMPROVISE’ software to configure a set of CIA malware suited to the specific needs of an operation.

Here is the official training manual that contains the detailed steps for carrying out the installation and configuration of Cross Match for the Aadhaar Enrolment Client. This manual also describes the process of importing master data after downloading it from the UIDAI Admin Portal.

Official UIDAI training manual describing the process of importing master data after downloading it from the UIDAI Admin Portal
Installation and Configuration of Aadhaar Enrolment Client Version 2.0.0.2 Release date 27-11-2012

 

It is remarkable that Aadhaar and Al-Qaeda mean the same thing, which is “foundation” – Manu Joseph pointed out this tweetable fact in his piece on Live Mint. What we might add is that it is also remarkable that both Aadhaar and Al Qaeda are illegitimate sons of the same mother!

Read our exclusive research on the Global War on Cash with an impact study of India’s demonetization drive with a push towards a Cashless society published in the Apr-Jun 2017 Demonetization issue of GreatGameIndia – India’s only quarterly magazine on Geopolitics and International Affairs.

Subscribe Now to GreatGameIndia Magazine and help keep our research going.

SHARE
Shelley Kasli
Shelley Kasli is the Co-founder and Editor at GreatGameIndia, a quarterly journal on geopolitics and international affairs. He can be reached at shelley.kasli@greatgameindia.com

21 COMMENTS

  1. One thing is stupid. That’s when its already known that every electronic device is already bugged and your laptop, mobile phone, has already uploaded your data including your name, address, location, pictures, videos and even allowing them live view of you without you even switching on our laptop or camera and even your smart tv live beaming your pictures from living room to U.S servers or Chinese or anywhere what UIDAI are you talking about? Its absolute ignorance to think that anything electronic is safe to protect. It’s not. If you really want privacy, one must stop using electronic devices. Else be known that Every device is bugged by CIA or Chinese.

  2. SOME QUESTIONS TO CIA

    On reading this, some questions raise in my mind. Kindly answer them:

    1. Can I also be treated as the citizen of United States of America, because, the confidential information received by my government may have been stolen by your worldwide spies, further they may have already come within your control limit?

    2. Who are all accessing my data and how they are being accessed?

    3. What is your future plans by using my biometric information already in your hands, obtained by illegal approaches?

    4.Did these sensitive informations come to your hands either with the conscious of our Indian government or not?

    5. Do you really want to keep these informations carefully in your computer or soon be deleted?

    That’s all for now!

  3. The issue is not about security of Adhaar data. CIA cannot do much with it. You pay some guy RS 10k and he will give his iris,thumb print, dob, mum’s name, uncle name, neighbor’s dog name etc etc. The critical part is, system which relay on Adhaar as the ONLY source of authentication in a non-human interface. When a human is involved, obviously he will do a photo match.

    So this is like blaming English language, because CIA knows your password. Adhaar and 2 factor pin will provide pretty good security for normal law abiding people. If you are in dodgy things, well… good luck.

    I understand security is always critical. However the target seems to be the Adhaar as a concept, rather than data protection. People have no issues having gmail accounts on US based servers, flashing IPhone with iCloud, but are worried about CIA bugging scanning devices.

    Adhaar as a concept is providing India with a phenomenal capability. Please contribute to make it powerful.

    • what about if someone use your bio-metric to do financial transaction or some other activity which can be done by just figure-prints ?
      Remember yon can change credit-card, pin password but not your figure-prints.

      • As i mentioned, it is job of the service provider to handle transaction security by providing additional security like 2 factor authentication. . Adhar is not responsible for banking security, nor is it a security framework. If banks feel there is a chance of fraud, then they need to provide 2 factor authenication.

    • You’re talking everything but ignoring the status of sensitive biometric information. An intelligence community like CIA do not go for your uncle’s name or name of the dog in your neighbor’s home. Be intellectual and cautious. Anyone can’t still justify all possible ways of how utilizing maximum your finger prints and iris data. It’s beyond anyone’s imagination, further lead to control anybody’s mind from satellite, or something, which could be dangerous to individual or national security. We have further worry as CIA top level admins have secret link with evil Secret Societies like Illuminati, who are planning to do evil causes to human society.

      • Let me put in simple words. If CIA/ RAW wants your entire life history. They will get it. There is nothing you or me can do, nor can we prevent it. Why would CIA waste time getting Adhar data, when it can intercept transaction data plugging directly in to ISP servers? The password that you type in your browser goes through internet, which CIA can intercept quite easily..

        If you think this data cannot be de-crypted, then I have a taj mahal to sell. ..

Leave a Reply