Cybersecurity is a pressing concern for organizations worldwide with hacks getting more and more sophisticated. With data breaches and hacks such as Uber, Yahoo and Equifax still looming large, companies simply cannot afford to have shoddy security on their servers. However, in India, the situation is so grim that you don’t need deep technical knowledge to hack into national databases.
In a recent development, security researcher Baptiste Robert who goes by the nickname Elliot Alderson on Twitter found critical flaws in the intranet deployed by the state-run telecom operator Bharat Sanchar Nigam Limited (BSNL).
The researcher was able to get complete details about more than 47,000 BSNL employees. Intriguingly, Robert uses Elliot Alderson as his Twitter handle as a reference ot the lead character – a “vigilante hacker” – in TV’s Mr Robot.
1) There was a SQL injection in their intranet website. It allows the attacker to dump the all database of the BSNL intranet. It contains the information of 47K+ BSNL employees, Senior officiers' information, BNSL administrators information, retired employee details and more. pic.twitter.com/HTEwtC63wp
— Elliot Alderson (@fs0c131y) March 4, 2018
Robert said he broke into BSNL’s intranet by using a malicious code which helped him gain access to an elaborate database of not just current employees but also those who have left the company. The database included details like employees’ names, their designations, personal mobile numbers, dates of birth and superannuation, and even their intranet passwords.
The flaws were reportedly fixed by BSNL after being informed by the researcher. They also discovered BSNL’s now-defunct portals “intranethr.bsnl.co.in” and “intranetuk.bsnl.co.in” had also been attacked by ransomware without the telco’s awareness.
The researcher, however, credited Sai Krishna Kothapalli, an Indian security researcher, for this discovery and claimed that Kothapalli had found these vulnerabilities in the telco’s network over two years but his voice remained unheard. The Indian IT Act of 2000 which currently governs hacking in India allows companies to sue researchers who point out flaws in their private networks, which is now being seen as a de-incentivizing measure.
#India you have a problem. With only a google search query you can find dozens of "Confidential", "Most Immediate/Confidential", "Immediate/Confidential" governmental documents. These documents are coming from multiple governmental websites… pic.twitter.com/k9nweHXrhZ
— Elliot Alderson (@fs0c131y) March 2, 2018
Robert has lately shown a lot of interest in flawed cybersecurity systems used by Indian institutions including private networks used by the Police departments of Bengaluru City as well as Punjab. He also leaked a list of MNREGA beneficiaries from the website of the Telangana government, and recently chided UIDAI for the ease of hacking the mAadhaar app. As a result, Robert’s Twitter handle has been subject to a lot of questions about the motive behind his focus on Indian services and apps. Though if you’d like to verify the security of a particular service or app, he seems to be accepting tips through Twitter DMs.