Tuesday, June 09, 2015

Are Airtel and Vodafone India 3G dongles injecting Javascript and iFRAMEs into your web browsing ?


Is Airtel hacking you ?
In what is essentially a Man-in-the-Middle type of "hacking" attack, 3G dongle users of Airtel and Vodafone in India(Update: other countries have also reported similar issues it seems) are being given modified webpages injected with a hidden Javascript code.
Airtel was previously in the new in India for trying to bypass NetNeutrality but backtracked after public opinion. This, however, did not prevent them from increasing the costs of mobile internet packs in India.

A few days back, Thejesh GN, or Thej as he likes to be called, discovered a suspicious javascript when he was browsing his own website Thej.in Since it was his own site, he was sure that he did not put it there. What was happening was that when the website was being delivered to his computer over his Airtel 3G Dongle, an extra line was added(which is one method how China hacked Google account of their citizens).
This line loaded an external javascript file from an IP address :
http://223.224.131.144/scripts/Anchor.js

Update : Vodafone uses the similar  http://1.2.3.4/bmi-int-js/bmi.js

The javascipt file is unreachable right now. Maybe they allow only Airtel(or Vodafone) 3G IPs to access it Or maybe they removed the file.
Anyway, Thejesh raised his suspicions and posted this very publicly available code to GitHub and tried to see what it does.And then, some company called Flash Networks suddenly asked GitHub to take down the code under DMCA "copyright" law.



Re: DMCA Take Down Notice June 5 2015
My name is [PRIVATE] and I am a director and CEO of Flash Networks Ltd. ("FN"). I am sending this letter to advise you that information published on GitHub's website is infringing upon copyright owned by FN:
  1. FN is the sole owner and proprietor of software product commercially known as Layer8 which FN developed and markets ("Layer8").
  2. Layer8 is a "closed source" proprietary software. The use thereof is subject to receipt of a license from FN against payment of fees and or royalties and otherwise is subject to commercial and legal terms acceptable to FN.
  3. FN has discovered to its astonishment that sections of the Layer8 source code appear on your website at the following address:
  4. The user that uploaded the infringing material is Thejesh GN (https://github.com/thejeshgn).
  5. The publication of the Laye8 source code at the above URL as aforesaid is a severe violation of FN copy and other intellectual property rights and is a gross misappropriation of one of FN most valuable assets.
  6. For clarification, the entire web page detailed above is infringing on FN's proprietary softwareFor examples only, the following pages, included in the web page are infringing to FN:
  7. This letter is official notification under the Digital Millennium Copyright Act (”DMCA”), and I seek the removal of the aforementioned infringing material from your servers. I request that you immediately notify the infringer of this notice and inform them of their duty to remove the infringing material immediately, and notify them to cease any further posting of infringing material to your server in the future.
  8. Please also be advised that law requires you, as a service provider, to remove or disable access to the infringing materials upon receiving this notice. Under US law a service provider, such as yourself, enjoys immunity from a copyright lawsuit provided that you act with deliberate speed to investigate and rectify ongoing copyright infringement. If service providers do not investigate and remove or disable the infringing material this immunity is lost. Therefore, in order for you to remain immune from a copyright infringement action you will need to investigate and ultimately remove or otherwise disable the infringing material from your servers with all due speed should the direct infringer, your client, not comply immediately.
  9. Also the continued publication shall in all certainty cause FN irreparable harm and severe damages and shall materially jeopardize its business operations.
  10. I have a good faith belief that use of the copyrighted materials described above on the infringing web pages is not authorized by the copyright owner, or its agent, or the law.
  11. I swear, under penalty of perjury, that the information in this notification is accurate and that I am the copyright owner, or am authorized to act on behalf of the owner, of an exclusive right that is allegedly infringed.
  12. I have read and understand GitHub's Guide to Filing a DMCA Notice.
Should you wish to discuss this with me please contact me directly.
Thank you.
[PRIVATE]


More Sources and Resources regarding this Airtel and Vodafone JS injection :

Flash Networks admit to creating the code (see their legal document)

If you are using Airtel 3G or Vodafone 3G dongles on a computer or a rooted Android device, you could block the domains for the time.
Airtel's is http://223.224.131.144/scripts/Anchor.js
Vodafone's is http://1.2.3.4/bmi-int-js/bmi.js

Add these to your hosts file blocker or AdBlocker or NoScript.
These must be how some websites suddenly divert you to an App Installation when you are browsing from mobile or Tablet through a 3G WiFi dongle.

Who is Thej ?

“Thej”  is an Independent Technologist, developer, blogger, data enthusiast and traveler from Bangalore, India. He graduated as an Electronics and Communication engineer from VTU in 2002. His career started with Siemens Information Systems Ltd as an intern. In 2003 he joined Infosys Technologies Ltd as a Software Engineer. Since then, he has taken many roles such as Developer, Programmer Analyst, Technical Specialist and Technical Architect.
He is the co-founder and chairman of DataMeet Trust. DataMeet is a community of Data Science and Open Data enthusiasts in India. DataMeet organizes meetups around the country and runs OpenDataCamps (ODC).
He loves hacking Open Source software. Loves talking at events and hosting workshops. Presently along with technology consulting, he runs OpenBangalore,AskYourGovt and other personal projects.
He was awarded Infosys Community Empathy Fellowship (2010) to work for a year at Janaagraha.
Easiest way to reach him is by emailing [ i @ thejeshgn dot com] or use this form.

How do I check if I am getting injected webpages from my Airtel or Vodafone 3G Dongle ?

  • Open any webpage not having SSL (https) through your internet connection
  • Press "Ctrl-U" together on Chrome or Firefox. (View Source or equivalent from options in any other browser)
  • In the Source code, Press "Ctrl-F" to open search
  • Search for 223.224.131.144/scripts/Anchor.js if you are on Airtel connection
  • Search for 1.2.3.4/bmi-int-js/bmi.js if you are on Vodafone connection
  • If these are present, your connection is being tampered with
  • Complain to Airtel and Vodafone

The Javascript Code makes an IFRAME inside the webpage you are visiting called FN_Layer8
In short

  • Happens on all http but not https websites(like banking and secure websites with a lock symbol)
  • As of now injects an empty iframe which seems to be a toolbar in making
  • It slows down the site loading
  • It messes up with the structure of the site
  • Has access to clients browser and content
  • Can add more code to monitor your web activity on all these pages.
  • Works even on Incognito mode, Private browsing
Update :
Airtel responds :
“Our customers have frequently asked us for ways of easily keeping a track of their data consumption – specifically dongle and broadband users, who unlike mobile users, cannot receive real-time alerts on their usage,” read the company’s statement.


More about Flash Networks(who made the script):
 http://www.flashnetworks.com/Layer8

"The Layer8 platform uses the Harmony Mobile Internet Gateway infrastructure to inject a small java script code into traffic flowing through the platform, thus enabling operators to offer the morefor.me services to their subscribers. Harmony is installed in the mobile operator’s core network and is compatible with 3G and 4G next-generation networks and smart devices."

No comments:

Post a Comment