Cracking Bangalore Buses' Web Security - Part 1

Jun 27, 2011

A couple of months back mini-tablets were installed in select Volvo buses in Bangalore. These tablets run Android and connect to a local wifi network set up in the bus. The wifi is WPA2-protected, and when one taps the link to the browser app, a screen appears where one is asked to enter their first name, last name and cell number. Presumably a verification key is sent to the user’s cell, which can then be used to access the internet. The reason for this is to make sure that nobody can access the net without being logged first, thereby preventing people from doing.. “bad stuff” anonymously. A worthy goal, to be sure.

However, there’s are two holes that allow one to both access the internet without any restrictions as well as create a new Gmail account and send mails, untraceably. I have no idea whether these two gaping security holes are Android’s fault or that of the company that set up these tablets (EAFT), but they make the devices completely open to abuse.

Now, I could simply go ahead and post the method here but as a [white hat](http://en.wikipedia.org/wiki/White_hat_(computer_security) I’ve sent a mail to the company apprising them of the hack. If they don’t get back to me within two weeks with an assurance that the hole will be patched at the earliest, I’ll make the information public in a subsequent blog post.

Just in case the company decides to sue me for blackmail or some shit like that, here’s a screenshot of the email I sent them: