Yesterday’s WikiLeaks published secret documents from the ExpressLane project of the CIA. These documents show one of the cyber operations the CIA conducts against liaison services — which includes among many others the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).
The OTS (Office of Technical Services), a branch within the CIA, has a biometric collection system that is provided to liaison services around the world — with the expectation for sharing of the biometric takes collected on the systems. But this ‘voluntary sharing’ obviously does not work or is considered insufficient by the CIA, because ExpressLane is a covert information collection tool that is used by the CIA to secretly exfiltrate data collections from such systems provided to liaison services.
ExpressLane is installed and run with the cover of upgrading the biometric software by OTS agents that visit the liaison sites. Liaison officers overseeing this procedure will remain unsuspicious, as the data exfiltration disguises behind a Windows installation splash screen.
The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan.
Cross Match certified by UIDAI
Cross Match was one of the first suppliers of biometric devices certified by UIDAI for Aadhaar program. The company received the Certificate of Approval from the Indian Government in 2011. Cross Match received the Certificate of Approval for its Guardian fingerprint capture device and the I SCAN dual iris capture device on October 7, 2011. Both systems utilize Cross Match’s patented Auto Capture feature, which quickly captures high-quality images with minimal operator involvement.
The Certificate of Approval, was issued after completion of all tests required to demonstrate compliance with the quality requirements of UIDAI. The certification body consists of the Standardization, Testing and Quality Certification (STQC) Directorate for the Government of India’s Department of Information Technology (DIT) and the UIDAI. The tests performed by the STQC included the following criteria: Physical & Dimensional, Image Quality, Environmental (Durability/Climatic), Safety, EMI/EMC, Security, Functional, Performance, Interoperability, Ease of Use & Ergonomics.
Majority of the UIDAI certified enrollment agencies use Cross Match devices across India. Cross Match was also the first company to receive the Provisional Certificate for use in the UID program in September, 2010. Video featuring the Cross Match Guardian and I SCAN devices has been taken down from the official UIDAI website.
In 2012, Francisco Partners acquired Cross Match Technologies Inc. The company has more than 5,000 customers worldwide and over 250,000 products deployed in over 80 countries. Cross Match’s customers include the U.S. Department of Defense, Department of Homeland Security, U.S. State Department and various state and local governments; as well as numerous foreign governments and law enforcement agencies. It also provides biometric solutions to customers in transportation, critical infrastructure, financial services, education, and healthcare sectors.
One of Francisco Partners portfolio company is an Israeli cyber weapons dealer called NSO Group. The company’s Pegasus iOS malware was linked to attacks on iPhones of a prominent UAE activist and a Mexican journalist.
Researchers from the University of Toronto’s Citizen Lab and mobile security firm Lookout raised questions about the ethics of NSO Group, a government spyware provider founded by an alum of Israel’s vaunted intelligence agencies. Francisco Partners bought its stake in the company for $120 million in 2014. Citizen Lab uncovered NSO’s Pegasus malware targeting iPhones of a Mexican journalist and a UAE activist. The same day, FORBES reported that Francisco Partners added Circles to its roster of investments, another Israeli-founded surveillance firm, which sold contentious gear to hack a part of global telecoms networks, known as SS7. That cost the private equity firm $130 million, a source close to the deal told FORBES.
Spying governments, activists & journalists
Francisco Partners also ran Turkey’s spy operations by selling its deep packet inspection product for surveillance. Deep packet inspection enables surveillance at the outset. Its very purpose is to open up “packets” of data flying across networks and inspect them to check if they should pass. DPI has made headlines for controversial use cases. China, for instance, likes to use DPI in its infamous censorship and surveillance systems. Sunnyvale, California-based Blue Coat Systems, in which Francisco Partners was a significant investor, saw its DPI technology censoring the internet in Syria in 2011, just as the civil war was erupting. Human rights activists looked on agog, but Blue Coat later said resellers were to blame and that it had not given permission for the technology to be shipped to the country. One reseller was later slapped with a maximum fine of $2.8 million by the Bureau of Industry and Security (BIS). (Francisco Partners also has stakes in Barracuda Networks and Dell Software, which both ship DPI products).
Aadhaar’s biometric pioneer
The foundation of the Aadhaar program is based on biometric and demographic data that is unique to each citizen. This data can only be collected by leveraging biometric devices and compatible software – the second and third stages of the Aadhaar value chain.
Cross Match’s Indian partner for the UID program is Smart Identity Devices Pvt. Ltd. (Smart ID). Smart Identity Devices, or Smart ID, has been the biometric pioneer and leader for the Aadhaar program. Smart ID provides biometric technology, smart card, and information and communication technology products and services for numerous sectors, such as financial services, logistics, government, and IT security. Launching commercial operations in 2008, Smart ID is based in Noida, India and is led by Sanjeev Mathur. The company’s devices are being used by enrollment agencies across India for the Aadhaar program.
According to a recent study by Research and Markets, India’s biometrics market is forecast to hit about $2 billion by 2018.
Smart ID’s products and services range from biometric products, to mobile application solutions, to services such as Aadhaar enrollment, training, project management, IT hosting, and business correspondent management. As of 2014, Smart ID was able to carry out enrollment activities across India in states such as, Jharkhand, Tamil Nadu, Orissa, Uttar Pradesh, West Bangal, and Madhya Pradesh. Smart ID has already enrolled more than 1.2 million citizens into the Aadhaar program through its enrollment agencies. In July 2011, the UIDAI recognized Smart ID as being one of the three best enrollment agencies in Aadhaar for enrolling more than 25 million citizens in a very short time frame.
The price of a Smart ID Patrol ID fingerprint scanner was approximately $2300 in 2014. And these devices were installed across the country. It would be interesting to know how much did the Indian government pay this CIA front company for the exercise. Lets say UIDAI installed 10,000 such bugged CIA devices across the country for enrollment (which is a very conservative estimate), the staggering cost would be 1473554800 Rs.
How CIA agents can access Aadhaar database in real-time
A number of the CIA’s electronic attack methods are designed for physical proximity. These attack methods are able to penetrate high security networks that are disconnected from the internet, such as police record database. In these cases, a CIA officer, agent or allied intelligence officer acting under instructions, physically infiltrates the targeted workplace. The attacker is provided with a USB containing malware developed for the CIA for this purpose, which is inserted into the targeted computer. The attacker then infects and exfiltrates data to removable media. For example, the CIA attack system Fine Dining, provides 24 decoy applications for CIA spies to use. To witnesses, the spy appears to be running a program showing videos (e.g VLC), presenting slides (Prezi), playing a computer game (Breakout2, 2048) or even running a fake virus scanner (Kaspersky, McAfee, Sophos).
The attacker is provided with a USB containing malware developed for the CIA for this purpose, which is inserted into the targeted computer.
But while the decoy application is on the screen, the underlaying system is automatically infected and ransacked.
Fine Dining comes with a standardized questionnaire i.e menu that CIA case officers fill out. The questionnaire is used by the agency’s OSB (Operational Support Branch) to transform the requests of case officers into technical requirements for hacking attacks (typically “exfiltrating” information from computer systems) for specific operations. The questionnaire allows the OSB to identify how to adapt existing tools for the operation, and communicate this to CIA malware configuration staff. The OSB functions as the interface between CIA operational staff and the relevant technical support staff.
Among the list of possible targets of the collection are ‘Asset’, ‘Liason Asset’, ‘System Administrator’, ‘Foreign Information Operations’, ‘Foreign Intelligence Agencies’ and ‘Foreign Government Entities’. Notably absent is any reference to extremists or transnational criminals. The ‘Case Officer’ is also asked to specify the environment of the target like the type of computer, operating system used, Internet connectivity and installed anti-virus utilities (PSPs) as well as a list of file types to be exfiltrated like Office documents, audio, video, images or custom file types. The ‘menu’ also asks for information if recurring access to the target is possible and how long unobserved access to the computer can be maintained. This information is used by the CIA’s ‘JQJIMPROVISE’ software to configure a set of CIA malware suited to the specific needs of an operation.
Here is the official training manual that contains the detailed steps for carrying out the installation and configuration of Cross Match for the Aadhaar Enrolment Client. This manual also describes the process of importing master data after downloading it from the UIDAI Admin Portal.
It is remarkable that Aadhaar and Al-Qaeda mean the same thing, which is “foundation” – Manu Joseph pointed out this tweetable fact in his piece on Live Mint. What we might add is that it is also remarkable that both Aadhaar and Al Qaeda are illegitimate sons of the same mother!
Credits: Shelley Kasli