Hacktivists claim to expose facial recognition used by Iranian regime to catch dissenters
A hacktivist group says it has breached a software system that the Iranian authorities have allegedly been using to surveil the country’s citizens, including a facial recognition tool for video surveillance.
The group, called GhostSec, has exposed approximately 26GB of data, including source code.
Among the exposed pieces of software is Behnama, a video surveillance system with facial recognition capabilities. The system was initially deployed across branches of Pasargad Bank. The software has since been used by other companies.
“Behnama is not just a tool; it is a powerful instrument of surveillance,” GhostSec writes on its Telegram channel. “It is being actively used by the Iranian government, law enforcement agencies, and military personnel, marking a significant development in the country’s surveillance capabilities.”
The group clarified that no facial data has been exposed, only the code itself.
The breached software was made by FANAP, a company owned by the private Iranian financial and investment corporation Pasargad Financial Group (PFG) which also owns Pasargad Bank.
Other systems that were uncovered include BehCard, a face biometrics system for printing ID cards, a car GPS and tracking system called BehYab as well as number-plate recognition system BehKhan. GhostSec believes that the license plate recognition tool was used to track down women who are not wearing a hijab.
Iranian authorities have been pushing ahead with introducing surveillance technologies, including the country’s Faraja CCTV cameras, in order to crack down on women who reject mandatory hijab. Since April 2023, more than a million women have received text messages warning that their vehicles could be confiscated after they were captured on camera without their headscarves.
In August, the Iranian parliament discussed a new bill on enforcing modesty known as the Hijab and Chastity Bill behind closed doors.
Researchers have previously reported Iranians have been receiving police notices on hijab violations, despite having no contact with law enforcement, indicating that facial recognition or license plate recognition may have been used to spot them. But some experts remain skeptical about the technological capabilities of the Iranian regime.
The surveillance system discovered by GhostSec may go deeper than what video cameras can see. The group claims that FANAP’s software is linked to a single sign-on (SSO) platform employed by the government for online user authentication.
Pasargad Financial Group’s primary mission was to design and prepare a native Iranian banking solution. But it expanded their activities further than that, according to the hacktivist group. The single sign-on platform is now being used by the Iranian regime to compile information on Iranian citizens and classify who can access certain services, according to their analysis.
As evidence, the group has shared a portion of the software’s source code on its Telegram channel called Iran Exposed.
“Please share and inform the world about the existence of this thing that we called a ‘software,’” GhostSec writes. “Protect everyone’s privacy against this new type of weapon. This system will not stop at Iran’s borders.”
FANAP could not be reached for comment. According to GhostSec, the company has made its website accessible only from inside Iran.
The group says it will continue publishing its findings on the surveillance system including how it relates to Iran’s Legal Intercept System Interfaces and Mobile Service Provider Systems, which include details on Iranian mobile network subscribers.
Concerns grow over biometric data use in the Middle East
Privacy watchdogs are sounding the alarm over the possibility of using biometric information to crack down on human rights across the Middle East, Deutsche Welle reports. The latest example includes Khalaf al-Romaithi, an Emirati dissident who was detained on his flight from Turkey to Jordan after an iris scan.
Many countries, including Iran, Qatar, Kuwait, Saudi Arabia and the United Arab Emirates, have gathered biometric information as part of citizenship registration or voter registration. But the increasing use of biometric technology has enabled closer cooperation between repressive governments in the Middle East and in central Asia, according to Yana Gorokhovskaia from U.S.-based Freedom House.
The technology has also become faster and cheaper than ever expanding the potential for arbitrary mass surveillance, says Ella Jakubowska, a senior policy advisor at the Brussels-based European Digital Rights Network (EDRi).
The solution proposed by some organizations is a complete ban on remote biometric identification and preventing the export of the technology.