BSNL cyber security could have been fixed two years ago
Sean O'Brien March 6, 2018
More than two years ago, Prime Minister Narendra Modi proclaimed, "The biggest challenge before the whole world is how to ensure cyber security," noting that India has "the highest number of people working in Silicon Valley". He challenged technical institutions to "take on the cyber security challenge worldwide". This speech was delivered at IIT Guwahati at a youth rally filled with students.
One month later, one of those IIT Guwahati students tried desperately to contact state-owned telecom Bharat Sanchar Nigam Limited (BSNL) about a severe cyber security vulnerability. "I have found a serious security vulnerability in one of BSNL's websites," wrote Sai Krishna Kothapalli. "Anyone can access the database which contains important information about all (BSNL) employees," he said.
He emphasized the severity of the problem with a stark warning - "The database contains [gigabytes] of data. If some hacker gets his hands on it, it would be the largest data dump or hack in Indian history." One week later, he complained on Twitter, "Haven't got a single reply from them. Lakhs of BSNL employees personal info and so much other data at risk (sic)."
We now know that the database contained personal and sensitive information of more than 47,000 current and former BSNL employees, including name, title, password, date of birth, mobile phone number, retirement date, and e-mail address. Certainly, someone at the company would be worried? Full administrator and senior officer details were included in that database as well.
Sai Krishna tried calling BSNL, he tried messaging BSNL on Facebook, he tried messaging BSNL on Twitter - but there was not a single acknowledgement or reply, and there is no centralized place to report cyber vulnerabilities like these.
For 25 months, this vulnerability has been waiting for 'black hat hackers', the bad guys, to exploit it. As far as we know, that has not happened and there has been no data breach. Thanks to a French cybersecurity researcher, Baptiste Robert or 'Elliot Alderson', that vulnerability and four others have finally been fixed or mitigated against.
There are now serious questions about what has been lost, and who may have had unauthorized access to BSNL's internal network. The reported vulnerabilities included two attacks from ransomware called 'AwesomeWare' that locked BSNL out of its own Intranet portals. The company was not even aware. Archived snapshots of these portals reveal that they were used to check broadband usage status and to make bill payments, at least as late as March 2013. That is sensitive information, by any reasonable measure.
The other two security issues with BSNL were less severe, but still quite worrisome. In the first case, a real-time bandwidth monitoring system was made publicly available. In the second case, eight directories of private BSNL documents were open on the web for anyone to access, including those on the two aforementioned Intranet portals.
Unfortunately, this string of vulnerabilities is indicative of a trend of lax cyber security for state-administered databases. Besides the many Aadhaar exploits reported within the past year, Baptiste Robert himself reported serious problems with the mobile mAadhaar app that is yet to be resolved. There are still major vulnerabilities in the Himachal Pradesh Aadhaar app, and it stores and transmits data unencrypted. How many months or years until these problems are fixed? In the meantime, there is very sensitive information about Indian citizens that is rife for the taking.
If amateur and professional researchers can find these vulnerabilities, why is the Indian state incapable of doing so? When will government and the industry learn to actively seek the help of IT security professionals, a resource that is plentiful in India? The Indian IT Act 2000 considers the kind of 'white hat hacking' required to discover, disclose, and fix vulnerabilities a criminal offence. Perhaps worse, government entities like UIDAI prefer to threaten reporters who disclose vulnerabilities that were revealed to them.
However, there are encouraging signs as well. BSNL acknowledged and fixed or mitigated against the issues disclosed to them by Baptiste Robert, though the solutions included taking Intranet portals offline completely and, of course, they had not listened to Sai Krishna in 2016. Notable vulnerabilities in police systems have been patched as soon as they were disclosed, and flaws in government website portals were patched in a timely fashion.
If India is to meet the challenge of cyber security, as Prime Minister Modi has proposed, the challenge must be met with honesty, even if it is brutal and exposes flaws in administration or implementation. India has digitized at a rapid pace, perhaps collecting more information on its people than any other state besides the U.S. There is hope to at least contain the damage that such massive collections of data may cause. IIT Guwahati launched a bug bounty program in 2017, the kind of initiative that can stave off the barrage of cyber attacks. If only one of its students, Sai Krishna, had been listened to two years ago, we might not have to wonder how much BSNL data is now in the hands of hackers.
Sean O'Brien is a cyber security researcher and visiting fellow at Yale Privacy Lab, an initiative of the Information Society Project at Yale Law School.