Reverse Engineering BSNL’s adware.

Since people started taking their privacy seriously, I am writing this as an awareness blog in the hope that it reaches the right people with the authority to take action against. I have also tried to cater it to people with no technical background.

By the way, your messages in WhatsApp are still end-to-end encrypted. So nobody (not even facebook) except for the recipient can read it.

A snap from Mr. Robot. A little too dramatic I would say!

What is an Internet Service Provider (ISP)?

ISP is a company that provides you internet connection. On mobile, if you have taken a Jio connection, then Jio is your ISP. On wired connection, if you have take BSNL connection, then they are the ISP. Since ISP is responsible for Internet connection, they know everything about the sites you visit, the links you click, practically everything you do inside a browser. If the site uses HTTPS, only the name of the site is visible to them. However, if the site doesn’t use HTTPS, ISPs have full visibility of the URL, any sensitive information like authentication cookies, the content of the URL etc. Not just visibility, they can modify the content of the page, add their own code, or even steal any secret data. But we trust them not to do so.

Each time you visit a website that is not on https, BSNL is adding malware/adware to it. As soon as you click or copying content, you will be redirected to an ad. In laymen’s terms, “virus/adware” does the similar job. But BSNL is not a virus, it is a state-owned ISP. They are misusing their power as ISP to earn extra cash and expose their customers to all kinds of possible threats online.

If you are on BSNL network, go to a random HTTP website (google *.in or *.gov). Clicking anywhere will open a ad.

A popup ad injected by BSNL

Here is an analogy for non-technical readers to relate more to the problem.

Imagine you want to go out grocery shopping with few constraints:
1. You can only use public transport, let’s say a bus. The bus service is provided by multiple companies that pick you up from home to shop and back home.
2. You can only go to one shop and then come back.

That’s it. Each time you want to buy something. You take a bus to shop, get the grocery and come back home on the same bus. Now here is the creepy part — while coming back home, the bus conductor secretly opens your bag and puts 10 ad pamphlets with each item or put a spy cam inside it or read the credit card number which you have mistakenly left inside the bag after checkout.

Once you reach home and open the bag. You have a look at each pamphlet and throw it away or become vulnerable to threats or fraud the moment you bring items to the home. The worst part is when you try to think who might have done that to your bag — the shopkeeper itself, the guard at the shop or the buggy payment machine? No, none of the above, it’s the bus conductor owned by BSNL bus service whom you never doubted because looking into the grocery bag was never his job and you trusted them.

In short, it’s pretty serious and borderline criminal.

During this lockdown, I happen to move back to my hometown. Being an engineer, looking out for single-point-of-failure has become my second nature. So I have taken 3 different internet connections, BSNL being one of them. Whenever I see a pop-up on clicking a link, I thought it to be part of the site, added by the owner of the site (remember it’s hard to doubt the conductor of the bus). Until I observed it on one of my own domains spawned for a side project. It was using HTTP for the time being. My initial guess was the server was hacked or some browser extension was doing it but after ruling them out, I started looking at network calls. Below is the screenshot of developer console on chrome while using BSNL. They start by appending code in one of locally hosted js files and then call for an ad.

Look at the fingerprint and other params on jquery-3.5.1.min.js. All of them were appended by BSNL.

They don’t open pop-up on every click so they must be storing state somewhere. Voila!! look at the local storage. These strange-looking keys are the userid and state stored by BSNL to track you across the internet.

Delete these keys and there are good chances that you will see pop-up on that http site again.

None of this happens when I switch to other service providers.

On googling for bsnl adware, there are multiple complaints against the same. I can also see the mode of hijacking evolving over time. It’s more subtle and hidden now. Thankfully HTTPS is safe and adware is only limited to sites using HTTP . My intention in writing this blog is to
1. Spread awareness to the common mass about what is at stake.
2. Send it to the right hands who has the authority to take actions as well as haven’t sold their soul yet.

If you know someone like that please forward it to them.

If you want to contribute and add your finding to this blog, please comment them, and I will add it to the main article.

If you are a talented designer who can put some quick designs to the bus conductor analogy or complement the writing in any way, please comment below (we are talking about TikTok generation with an attention span of 5 sec).

Source link