South African Government Biometric Identity Verification System Exposed Online
CyberSKR discovered a biometric identity verification system operated by South Africa's Department of Home Affairs (DHA) had been left online since at least August 2013.
The Home Affairs National Identification System (HANIS) provides a service for financial institutions, mainly banks, that "enables the verification of the customer’s identity by checking their identity number and biometric data against the data hosted at the Department of Home Affairs" (securitysa.com).
HANIS is a joint venture between South Africa's DHA and the South African Banking Risk Identification Centre (SABRIC), which aims to "combat bank-related identity fraud and corruption" (gov.za).
Following the best practices of responsible disclosure, several attempts were made to contact the webmasters / support staff responsible for the system. Although we have yet to receive a reply from the DHA, it seems public access has finally been restricted. As this system is (hopefully) now secured from the outside world, we believe we can responsibly discuss the finding.
The first result on DuckDuckGo for the term "crossmatch verifier 300 scanner" (including the quotes) was a result from a subdomain on dha.gov.za, indicating it was an official government website belonging to South Africa's Department of Home Affairs.
Browsing to the root of the subdomain (http://bvrserver.dha.gov.za) presented a landing page titled "Online Verification" (shown below) bearing the official South African coat of arms.
Two images of fingerprint scanners (the CrossMatch Verifier 300 & CrossMatch LScan 100) were also displayed, as well as a note stating "In the case that the workstation doesn't have the drivers installed for the fingerprint scanner, please download and install from the below links". Links were provided for the drivers and setup files for each device, as well as an in-depth "Installation & User Guide" in the form of a PDF document. The following images have been sanitised by CyberSKR.
Loading the "Installation & User Guide" PDF provided detailed instructions on how to install the required drivers and software, as well as how to operate the devices. Using the information provided in the guide it was possible to access the AFIS "printout" for a transaction that included a person's ID number and photo, as well as a timestamp and reason for the transaction, which we sincerely hope is test data.
At the time of writing the subdomain shows an "Access Denied" message.
The information in this post has not been verified by South Africa's Department of Home Affairs.
- Installation & User Guide
- Original Subdomain (now restricted)
- DuckDuckGo search (at time of writing)
- Landing page
- CrossMatch LScan 100 Drivers
- CrossMatch Verifier 300 Drivers
- CrossMatch Verifier 300 Setup
- CrossMatch Verifier 300 Form
Special thanks to a member of the cyber security community for their input.