Data of 47,000 BSNL Employees ExposedFrench Researcher Alerts Firm of Vulnerabilities; Corrective Measures Taken
In yet more evidence of the security shortcomings of government websites in India, a researcher determined that the websites of Bharat Sanchar Nigam Limited, or BSNL, the state-run telecommunications company, were hackable because of SQL injection vulnerabilities.
The researcher who goes by the Twitter name Elliot Alderson, the main protagonist in the popular TV series "Mr Robot," says he was able to access the names, mobile numbers and passwords of BSNL's 47,000 employees as a result of taking advantage of the security flaws. Information Security Media Group has a copy of the data, which shows names, email ids, mobile numbers and passwords.
After reporting to BSNL, Alderson in a tweet said the flaws have been fixed. "I want to thank @BSNLCorporate for their cooperation and their reactivity. All the issues below have been disclosed to them privately and fixed during the weekend. I hope they will take the appropriate actions internally."
ISMG reached out to Alderson and asked what's prompting him to check Indian websites. "I am motivated to change things around me. Today many Indian government websites are insecure and one can't (continue) staying like this," he says.
Earlier, Alderson had also shared via Twitter the details of how a basic hacking technique - SQL injection - could be used to breach the Telangana government's benefit disbursement portal TSPost, which has the account details - including Aadhaar numbers - of 56 lakh beneficiaries of National Rural Employment Guarantee Act, NREGA, a government program and 40 lakh beneficiaries of the social security pension.
"In theory, a government website is very secure but in India, it's another story. ... http://tspost.aponline.gov.in is vulnerable to a basic SQL injection," Alderson wrote on Twitter last week after discovering vulnerabilities on the Telangana government portal.
"Honestly I am not surprised. This is an old story," says Mumbai-based Dinesh O. Bareja, COO at Open Security Alliance. "While there is a lot of talk by the government on security, the government on most occasions ends up building yet another cybersecurity body which contributes little to overall security posture."
In his tweet, Alderson mentioned that the vulnerabilities in BSNL were originally discovered and revealed to the company's officials two years ago by a student of Indian Institute of Science, Kharagpur. "I found this a few days ago, but I'm not the first one to discover it. This issue was discovered by an Indian, Sai Krishna Kothapalli, two years ago. He sent mails to BSNL, even called senior officers, but nobody answered him. Once again, it shows the importance for big companies like BSNL to take into account this kind of alert," he tweeted on Sunday.
Their websites had a lot of open directories which allowed everybody to consult their documents:— Elliot Alderson (@fs0c131y) March 4, 2018
- https://t.co/BLEcYcdYWl pic.twitter.com/xjzWkt2lt1
Some security experts say that since the vulnerabilities highlighted by Alderson were actually discovered two years ago and brought forward by Kothapalli, it is shocking that BSNL apparently decided to ignore it.
The incidents also raise questions on the audit standards followed by public sector units in India. "All auditors should be questioned by Computer Emergency Response Team, or CERT-In. But we continue to ignore such incidents and brush them under the carpet," Bareja says.
Where's the Vulnerability?
Alderson says he gained access to data within the BSNL sites by embedding a malicious code into the intranet application by which he was able access the entire database of employees, both present and past.
In addition, Alderson notes, "Two of the BSNL websites - intranethr.bsnl.co.in and intranetuk.bsnl.co.in - were attacked by a ransomware but BSNL didn't seem to notice".
BSNL did not immediately reply to Information Security Media Group's request for comment.
Many SQL injection attacks are executed by targeting poorly secured, internet-connected databases (see: 5 Lessons from the TalkTalk Hack).
Such attacks can also be deployed by abusing file transfer protocol, or FTP. "In such cases, certain malicious scripts executed by an attacker can sniff-out the FTP passwords. The result of successful SQL injection can be disastrous as seen in this case where the researcher could obtain BSNL employees' data from the BSNL database," says Rohan Vibhandik, a Pune-based cybersecurity researcher working for a global company.
Lack of Action
The vulnerability exploited in the cases of BSNL and Telangana website are basic and should have been either avoided by using secure development cycle practices or could have been detected when examining source code, some security experts say.
"There is nothing complicated here. This is typical case of negligence. When an Indian researcher had highlighted the issue two years ago, then why didn't BSNL take any action? The basic problem with these government bodies are that they don't want to take suggestions from independent researchers," says a security practitioner who asked not to be named.
"This raises some intriguing questions about the state of IT security maintained by public sector units, or PSUs, and their dedication in protecting the critical infrastructure of the country along with the data of millions of users," says Noida-based Pavan Kushwaha, founder and CEO at Kartikal Tech, a security testing firm.
Another independent security researcher, who asked to remain anonymous, shares his experience working with BSNL: "I have myself reached out to them several times about certain vulnerabilities. But despite this, they have rarely acknowledged that there is something wrong in their system."
Need For Strong Controls
Some security practitioners siuggest that CERT-In should be more strict with auditors who fail to discover basic vulnerabilities because it has the power to question them in case when things go wrong.
Vibhandik suggests government websites should take several risk mitigation steps, including:
- Using SFTP instead of FTP. Secure FTP provides encryption while transfering the data. So it is difficult for attacker to eavesdrop or sniff out the sensitive credentials;
- Deploying code obfuscation techniques to make code difficult for attackers to read. Scanners and fuzzers can be used to find injection flaws;
- Always check and monitor website certification authority updates, expirations and renewals and upgrade the backend as well.