BSNL is India’s largest telecom provider, a game changer in the telecom industry in India and probably the only organization that drives competition in this sector by going out of its way. The success of BSNL in India can be attributed to a number of factors, the primary one being its ties with the Government. The Government of India owns BSNL and it also forms a strategic partner for the Government of India. This makes BSNL a powerful organization when it comes to the telecom industry and as the good old saying goes, “with great power comes great responsibility”.
BSNL has been hacked numerous times in the past. Last year in August, Pakistani hackers pwned BSNL India’s Punjab website and managed to get hold of user data. There was a dÃ©jÃ vu in July (last month) when the Pakistani Cyber Army hacked a BSNL website (again!). Now, we are seeing another security hole in a BSNL website, which can compromise numerous employee accounts inside the organization.
The Dotsoft application used by BSNL for its internal operations is a flawed one when it comes to security. As you can see, the application allows public access, for anyone to modify any internal user account at BSNL. The Dotsoft project page (probably) at BSNL explains it as,
Dotsoft is in-house developed software, integrating the Commercial Activities, Telecom Billing & Accounting, FRS and Directory Enquiry. It has been implemented in 171 SSAs (Districts) across the country.
All the SSAs of Andhra Pradesh, Tamil Nadu, Karnataka, Assam, Punjab, Chhattisgarh and Gujarat Telecom Circles have implemented it. Rest of SSAs is from states of Maharashtra, Madhya Pradesh, Uttar Pradesh, Rajasthan, J&K and Haryana. Many Telecom Circles like Bihar Telecom Circle, Orissa Telecom Circle and Uttaranchal Telecom Circle are in various stages of finalizing the plans for implementation of Dotsoft in their SSAs.
Clearly, this application holds extreme value inside the organization as it forms a critical part of their business. Severe security vulnerability like this should be fixed immediately. Any plans to extend this application across more states, without fixing this vulnerability might put BSNL in jeopardy.