Friday, November 23, 2012

Tata Photon Plus security risk with Ubuntu

When I tried to update my Ubuntu computer using the `sudo apt-get update;sudo apt-get dist-upgrade` the user password with administrative privileges was not prompted. Some thing smelled fishy and I had to recollect what changes have been done to the OS for not being prompted to enter the password.

Quickly I recalled that I recently bought a Tata Photon Plus for Mobile Broadband Internet, since I would be traveling a bit. As an Ubuntu bigot, my first task is to test it under Ubuntu 12.04 to make sure it works.

When I plugged the Tata Photon Plus into USB on a Ubuntu 12.04 machine, it was not detected for some reason. So, I had to copy the Linux installation files from the data card on a Windows machine to a USB and then copy them to a Ubuntu 12.04 machine.

According to the instructions in the Tata Photon Plus manual, I had to run the install file under the Linux folder for installing the required driver and software for the Tata Photon Plus to work. The install script required administrative privileges (sudo) to run the script.

So, I looked into the install file as the initial suspect and found the following to my surprise
# Shashank: Defect fix AJ2D13470: Begin
echo -e "ALL ALL=(ALL) NOPASSWD:ALL" >> /tmp/${TEMPFILE} 
and
# Shashank [s72814] added to generate .bin file and to give access permissions in user mode: End
# Shashank: Defect fix AJ2D13470: End
cp -f /tmp/${TEMPFILE} /etc/sudoers
What our friend Shashank (possible from Huawei, who have worked with Tata to provide the necessary hardware and software for the data card) has done is to open to Ubuntu 12.04 system wide open for any changes without any password. The first thing I did was to run `sudo visudo` and then comment out the below line.
ALL ALL=(ALL) NOPASSWD:ALL
Finally happy and back to the original secure state. For those who are interested interested in the install file, here it is. Hope that the software developers are a bit careful and the companies who they work for do a bit of audit before releasing it to the public. Not all users of software are experts in tracing out and fixing the problems in a software.

I initially thought of reporting the same to the Tata, but could not get a proper contact from their website, whom I could report to. So, I decided to post to make this public to get the due attention.

Thought of the day is to use new softwares with a bit of salt.

1 comment: