‘I’ve seen all your data, without hacking’

About two months ago, I was using the internet intelligence platform shodan.io to discover new patterns for vulnerable systems when I stumbled upon this landmine.

It was a 720 GB database that required no credentials to access it! It contained around 2,88,00,00,000 SMS texts, organised by month, all publicly accessible.

All entries contained the message text as well as the sender, receiver and other metadata. Yes, I could see OTPs and other sensitive information in plain text—it disturbed me on so many levels.

Driven by curiosity and concern, I decided to dig deeper. It didn’t take me long to realise that all major telecom providers were exposing sensitive data on a large scale via misconfigured File Transfer Protocol (FTP), elastic search and MongoDB servers. It wasn’t humanly possible (or ethical) for me to inspect all the databases but to give you an idea of the severity, I witnessed publicly accessible documents such as PAN and Aadhaar card details, login and personal details of employees and what not!

It doesn’t stop at just publicly exposed sensitive information. Their infrastructure was vulnerable as well. Below is a screenshot of me logged into a network control panel—which could have been compromised and used by malicious actors to gain access to the network. It is worth noting that I didn’t hack into it, it just had the default username-password combination, i.e. admin:admin.

It was just one of the thousands of insecure assets I identified. I can go on and on with my findings, which include vulnerabilities that could have been used to sabotage the entire network of a certain telecom provider in the affected region. I am not the first researcher to discover such flaws. It has been done numerous times, and the attitude of the government and its organisations has become a running joke in the Indian hacking community.

For example, a French hacker who goes by the alias Elliot Alderson has discovered similar flaws in Indian cyberspace, but he rarely gets a response from the organisations concerned when contacted about these flaws.

Luckily, India has recently opened an online portal called the National Critical Information Infrastructure Protection Centre (NCIIPC- Responsible Vulnerability Disclosure Program) which can be used to report such critical vulnerabilities.

The vulnerabilities were responsibly disclosed to the respective organisations and have been patched. However, they seemed to be “overly professional” when I contacted them.

I found the same vulnerabilities in almost 350 machines. Here are the statistics for each organisation:

BSNL - 147; Private Telecom Company (PTC) 1 – 3; PTC 2 - 22

PTC3-127; PTC 4 (now non-existent) - 19; PTC 5 (formerly a government ISP) - 110

I emailed them with the IP addresses of those machines and the procedure to exploit them. The next day, I got a ridiculous email from some of them saying that I need to write the procedure separately for each of the IP addresses. I was not sure if they were even being serious because the exploitation procedure was obviously the same for all the systems.

Fortunately, I got a call from higher authorities after my tweet about this situation went viral, and they handled it pretty well by contacting the parties concerned. The reported vulnerabilities have been patched by the time of writing this article.

What does it mean?

I barely hacked into anything in this whole process and still managed to discover devastating flaws. So, you can imagine the amount of damage an attacker can cause by going beyond the ethical limits.

Who should be held responsible in case of a data breach? An organisation cannot simply get away with a public apology as leaking of such data is a breach of privacy.

Every organisation must pay attention to the security of their digital assets, especially when they hold such critical information. A good start would be to create dedicated security teams and have them conduct regular assessments of various components. Launching responsible disclosure programs and rewarding people who report such vulnerabilities is also a viable option.

I wish the hacks I discussed above were complicated and fascinating, but they are not. It took me just a few minutes to get in—that’s what makes it so disturbing.

It is time for Indian telecom consumers to become aware of their vulnerabilities and know their rights, too, question the handling of their data by the companies and sue them when it is mishandled. One can only hope that the soon-to-be-tabled Personal Data Protection Bill puts in place tight safeguards and protocols to help telecom subscribers.

(The writer is a security researcher from Charkhi, Haryana)