ISP Kicks Out User Who Exposed Vulnerability; Doesn't Fix Vulnerability

from the blame-the-messenger dept

Fri, Apr 20th 2007 6:33am — Mike Masnick

Over the past few years, there have been plenty of examples of companies with security vulnerabilities blaming the messenger when the vulnerabilities are pointed out, often threatening them with time in jail. The end result, of course, is that many security researchers are afraid to report vulnerabilities, as they may be blamed for them. Of course, that doesn't mean that others haven't found the same vulnerabilities and started using them for malicious purposes. The latest such case is pointed out by Broadband Reports and involves an ISP in the UK called BeThere. Apparently, a college student discovered and published a pretty major vulnerability found in the routers the company uses, allowing anyone to access the routers remotely. Rather than thank the customer for finding and highlighting a pretty serious vulnerability, the company has cut off his service and threatened him with lawsuits. Oh yeah, they also haven't bothered to fix the vulnerability -- despite it being published 7 weeks ago. The reasoning from the ISP is astounding. They claim that since they can't find any evidence that anyone ever used the vulnerability, he must have discovered it by "illegal" means. Who knew that simply probing for security vulnerabilities was illegal? And, of course, the ISP told the guy he's not allowed to talk about its legal threat to him -- which isn't actually legally binding. It's not clear if the ISP doesn't understand what it's done or simply doesn't want to fix the vulnerability -- but the fact that it seems to think it's ok to leave the vulnerability there and just cut off the guy who pointed it out should make other customers of BeThere wonder about how the ISP treats their security.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

28 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Alex Austin (profile), 20 Apr 2007 @ 6:53am

Unfortunately, USAPATRIOT has, in fact, provided the framework to make such security probes illegal. It's unfortunate that the company hasn't done any penetration tests, but such a security probe is still illegal, even if he didn't harm anything.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Apr 2007 @ 7:07am
  
  Re:
  huh?
  
  What does the USA Patriot act have anythign to do with a United Kingdom ISP?
  [ link to this | view in chronology ]
Duane, 20 Apr 2007 @ 7:03am

Huh?
Well since it's a UK ISP, one assumes that the US Patriot act would have little impact on the situation.

IF he were in the US, maybe, but even then, does patriot make it illegal to look for security holes in the equipment a vendor provides for your use, on your property? If I have a door lock installed by a local locksmith, is it then illegal for me to attempt to open the door without the use of the key, in order to see if I've got my money's worth? Seems irrational to me, and if thats what the law says, then when called on it, the courts will (eventually) sort it out.
[ link to this | view in chronology ]
Anonymous Coward, 20 Apr 2007 @ 7:18am

"Well since it's a UK ISP, one assumes that the US Patriot act would have little impact on the situation."

I think the first poster's point was that this would be a legitimate course of action for some areas of the world. I live in Canada, and my ISP's ToS states that I'm not allowed to probe any network for security holes. Surely, most (all?) other ISPs, in different parts of the world, have a similar policy. They have full rights to cut off his service, but whether or not they can sue him depends on the local laws, I suppose. It is pretty stupid that they have not fixed the vulnerability, however...
[ link to this | view in chronology ]
sam, 20 Apr 2007 @ 7:18am

umm...

chances are the router is the property of the ISP, not located in your 'home'!!!

the 2nd issue is that in the UK, the legal threat that the ISP is using might very well have teeth. any legal mind from the UK care to comment.

as to how the ISP handles their security. who the hell knows. in all honesty, i've long ago stopped really trusting that companies will keep 'my' data absolutely secure over either the short or long term.
[ link to this | view in chronology ]
- Dosquatch, 20 Apr 2007 @ 12:24pm
  
  Re: by sam
  chances are the router is the property of the ISP, not located in your 'home'!!!
  
  Point one: that "broadband modem" you're using to access your cable or DSL internet connection is not a modem at all, but a consumer-grade router. "MODEM" is a mashup of "MOdulate/DEModulate", and by definition is converting digital data to an analog signal and back again. Digital connections like cable and DSL undergo no such conversions... but by the time these connections were available the IT community had just finally managed to teach everybody that the modem was the magic part that connected you to the rest of the world, and the name "modem" stuck (even though inaccurate) because it was less painful than reteaching everybody. Still, it is actually a router. Now you know. Moving on...
  
  Point two: most broadband providers offer the option to purchase said "modem". I do not know, but certainly imagine the customer in this case took that option - meaning that he was dicking with his own property in his own home.
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Nov 2007 @ 2:30pm
    
    Re: Re: by sam
    Er, one of the components inside any "ADSL router" _is_ a modem. ADSL signals certainly do get modulated/demodulated, on to carrier frequencies outside the normal spectrum used for analogue voice communication (and by pre-ADSL modems). Please don't rant on patronisingly about something you clearly don't know much about.
    [ link to this | view in chronology ]
  - Anonymous Coward, 25 Nov 2007 @ 2:45pm
    
    Re: Re: by sam
    Oh yes, the other (main!) point is that Be _does_ own the "BeBox" modem, and, according to their contract, you have to give it back when they ask (e.g. if you terminate your contract). As far as I know there is no option to purchase it instead.
    
    There's nothing stopping you from using your own ADSL2+ modem or router instead of the one they supply to you, of course.
    [ link to this | view in chronology ]
Nick Burns (profile), 20 Apr 2007 @ 7:19am

I think we should categorize these "tactics" as the
Ravenous Bugblatter Beast of Traal defense.
[ link to this | view in chronology ]
Tony Baker, 20 Apr 2007 @ 7:49am

If he found out...
If he found the exploit by illegal means, why would he then stick his hand up and tell them?!!! Where is the logic?
[ link to this | view in chronology ]
aj, 20 Apr 2007 @ 7:49am

If the guy found the flaw, notified the isp and received no response, or was bashed and still it was not fixed, i would understand why he published it. If he didn't notify the isp and just posted it to include a how to with passwords, he gets what he deserves. I'm willing to bet if he called the isp and advised them of the problem, maybe tossed in a few ideas on how to fix it, not only would he still have his service, he may have it for free...
[ link to this | view in chronology ]
giggler, 20 Apr 2007 @ 7:57am

maybe....
We should all just find the exploit and use it. Cause no harm but tag one of their boxes on the inside. Maybe then they would shore things up.
[ link to this | view in chronology ]
seth, 20 Apr 2007 @ 8:23am

This was black hat
What this guy did was completely inapprorpriate.

Announcing the vulnerability to the router manufacturer, and its *existance* (not EXPLOIT DETAILS) to the public, and the ISP is one thing.

However, publicly detailing the specific exploit for a specific router owner is completely and utterly wrong.

This article is very biased towards the hacker - shouldn't be, as no white hat hacker would qualify how he did this.
[ link to this | view in chronology ]
Anonymous Coward, 20 Apr 2007 @ 8:27am

They should be grateful that he managed to circumvent their network security and then published directions for doing so along with passwords to make it easier?

If he had contacted the ISP and informed them that their "broadband routers can be remotely accessed by anyone curious enough to look for several poorly concealed backdoors" then the outcome may have been different. But, he decided that it would be better to make public postings about how to gain access past their security systems.

The ISP responded with a statement that no one had ever used the published passwords to gain access to their networks, so they are not sure about how he obtained them. A guess would be that he created the passwords while in an area that he should not have been in. They also threatened legal action if he ever tried to gain access to its networks/routers again, which seems to be a fair threat seeing as they cannot be sure that he would not try to get past their security again.

I agree that the ISP should fix this vulnerability, but why are they being ridiculed for stopping a know hacker from accessing their networks?
[ link to this | view in chronology ]
ehrichweiss, 20 Apr 2007 @ 8:29am

I just must be fortunate..
From the very day I got on the Net in the early 90's I was completely and 100% up front with my ISP's(actually back then they were just my mail/USENet provider, the WWW hadn't really taken off yet) that I scan for vulnerabilities and I report them because *I* don't want someone causing problems for me on a system I use, much less one that I own/administrate. Each one had no problems with me doing so and even told me that they welcomed it as long as I didn't harm the system in doing so. My current ISP is owned by friends that I got involved with when all this began so I'm even more lucky now I think; they've definitely stood by my side when certain whiney individuals didn't like something on one of my web pages, any other ISP would just take the pages down, I was offered a choice for how to deal with it myself.

The only exception is when I was leeching from my father's Earthlink account; I had more problems simply telling their half-retarded "support" staff that their router was killing my connection if I used more than 30 connections at once and they told me that it was a "Windows resource problem"...the problem was that I was using a Silicon Graphics Indigo2, not a Windows machine. I can't imagine telling them they had a real problem.
[ link to this | view in chronology ]
Sanguine Dream, 20 Apr 2007 @ 8:33am

I just hope...
they aren't suing him for copyright infringment. Frankly I don't blame him for testing it out. And if he did try to be right a proper by alerting the ISP and was threatened then I also agree with him for publishing it.

I'm am so sick of companies thinking their shit does not and cannot stink. Security by obscurity does not work and even an entry level IT rookie (like me) knows that.

No offense to the other customers of the ISP but I hope someone will take advantage said vulnerabilities. Problem is they ISP will no doubt sue that guy claiming that the hacker must have found out about the vulnerability from that guy.

And from the post:

They claim that since they can't find any evidence that anyone ever used the vulnerability, he must have discovered it by "illegal" means.

Last I checked people that take advantage of vulnerabilities don't care wheather or not they were found legally or not. And don't hackers operate with the intent of not leaving any evidence behind? For all they know someone could have already gotten in and they are just waiting for this story to die down before striking.
[ link to this | view in chronology ]
Paul, 20 Apr 2007 @ 9:26am

Duh
"Who knew that simply probing for security vulnerabilities was illegal?"

Uhh.. ya... duh?

Analogy time!
Imagine some random person comes up to you:

"So I went up to your house to see if the door was unlocked, and it was. I took a look around inside, you know, just to see. Well I discovered that you have a security issue and all your belongings are at risk"

So not only is he guilty of trespassing but are you going to believe that he went into your house "just to look around" and that he did not take or alter anything? What was he doing checking your front door in the first place?
[ link to this | view in chronology ]
- Sanguine Dream, 20 Apr 2007 @ 12:07pm
  
  Re: Duh
  The thing is he wasn't a random person. Remember he was paying them to use their service. the random person in your analogy has no relationship to your or your apartent.
  
  A better analogy would be if you were renting an apartment and you tested the locks and found out they were ineffecient. You go to your landlord to mention your bad locks and instead of fixing them you get evicted and she/he threatens to sue you if you mention them to anyone.
  [ link to this | view in chronology ]
  - Dosquatch, 20 Apr 2007 @ 12:32pm
    
    Re: Re: Duh
    Damn, beat me to the apartment building analogy. Good on ya :-)
    [ link to this | view in chronology ]
- Dosquatch, 20 Apr 2007 @ 12:30pm
  
  Re: Duh
  
  Analogy time!
  Imagine some random person comes up to you:
  
  Stop. Not your house. We're talking about a service provider. It's more like an apartment building, and the random person in question is also a tenant. It's more like he walked up to the landlord and said, "Are you sure it's a good idea to leave the master key for all of the apartments under the doormat out front?" and was evicted for his trouble.
  [ link to this | view in chronology ]
Anonymous Coward, 20 Apr 2007 @ 9:44am

I think many are confusing the issue here.

BeThere, the ISP I currently use, provide a speedtouch router (called a bebox).

From what I understand this vulnerability is based on the fact that anyone using these passwords can telnet into anyone's bebox and change DNS settings etc.

Get this fact straight, the router resides in the customers home.

BeThere are claiming that the only way this guy could know these "secret" passwords is by hacking. As to what he hacked I'm not sure. The bebox? Their network?

From other articles it sounds liike they are saying he hacked the bebox, which he could actually purchase from BeThere and would therefore own. So if that's the case, what exactly did he do wrong? If he hacked their network I understand Be's position.

The fact is Be recently released a BIOS update that was designed to prevent remote users accessing the router they supply customers. The reason the security flaw has not been fixed is because the BIOS update fucked the router big time and locked people out, caused drop outs in connection or just failed to establish a connection full stop.

Now, that's the real reason they haven't fixed it yet. They don't know how.

More details here: http://www.theregister.com/2007/04/17/hackers_service_terminated/
[ link to this | view in chronology ]
retroblu, 20 Apr 2007 @ 9:54am

hmmm
to paul #14

thats a decent analogy, but heres a better one based of yours

now you are renting a place w/ a few other people a friend comes by and has key to get in the place and just by chance tries the door but its unlocked, wouldnt it be nice for that friend to tell you that someone in the place left the door unlocked and something could've gotten stolen/damaged.
[ link to this | view in chronology ]
Charles Griswold, 20 Apr 2007 @ 11:13am

What to Do About BeThere
I say we gank their routers using that vulnerability. Won't they look silly then.

No, on second thought that would be a bad thing to do. It's really satisfying to contemplate, though. :-)
[ link to this | view in chronology ]
- le501, 21 Apr 2007 @ 4:15am
  
  Re: What to Do About BeThere
  why not just change isp's. bet if the company got a bunch of cancellations they's listen up. much better and easier than moaning and groaning about who gave the colonoscopy to whom.
  [ link to this | view in chronology ]
  - Walker, 21 Apr 2007 @ 4:42pm
    
    Re: Re: What to Do About BeThere
    "why not just change isp's"
    
    because Be* is actually quite good otherwise? few UK ISPs offer such a fast service, and fewer still offer a genuinely unlimited one. their customer service staff actually interact with the customers, most of the time they listen, and they're flexible enough to do things lesser ISPs are reluctant to help out with (like change connection profiles (fastpath/interleaving/SNR/etc.)). incredibly useful to gamers, power users, etc..
    
    some of the information in the article is inaccurate btw and the reality might make your mouths drop open a little more: this vulnerability has been known about for at least a year, and users have been helping each other to seal it via the official forums for about as long. so you can imagine how much controversy there is on this front.
    
    also, Be* routers are provided by Thomson (they're part of the well known Speedtouch range) and it seems they *did* try to integrate a fix into a firmware update a few months ago, but Thomson made a pig's ear of it and Be* had to recall it. two days ago, it appears Be* remotely connected to all routers on their network and patched those that were still vulnerable. we're getting somewhere...and I think many customers are confident they'll learn from their dodgy mistakes. =D
    
    thank goodness I've never even taken my Be* box out of it's cardboard box, that's all I'll say. never saw the point because I already had a superior Netgear DG834N.
    [ link to this | view in chronology ]
Overcast, 20 Apr 2007 @ 11:37am

I'm sure the hackers are happy no one reports them. The ISP does half of their job covering it up.
[ link to this | view in chronology ]
Lucy, 21 Apr 2007 @ 4:36pm

Awesome article *sarcasm*, what it fails to mention is the blogger who found the vulnerability, put passwords and IP's and how to reproduce it, practically putting everyone on the ISP at risk. When the blogged article went up it went from one blog to another, a vulnerability that was known but not the how to...

I dunno where you go on to say people who report a vulnerability are scared to, lol, companies prefer you to send them directly to them, they get annoyed when you put it on the web without giving them a chance to fix them. In this case they where warned, but the fact is you can't post it on the internet when 14,000 people could get hacked it's just common sence, you remove the passwords and the IP's.

The ISP has to contact the modem provider, you ever dealt with Thompson? I guess not, well they aren't exactly the best firmware makers, though the blame is square on the ISP who's responsibility it is to make sure all customers are secure. I also blame the router provider for such a shabby router and not checking it themselves.

Oh and the vulnerability is fixed by the way, via them logging into all routers and closing the hole as said on their company forum.
[ link to this | view in chronology ]
- Walker, 21 Apr 2007 @ 4:46pm
  
  Re:
  "Oh and the vulnerability is fixed by the way, via them logging into all routers and closing the hole as said on their company forum."
  
  Only if those routers were connected at two very specific times during one day. Not everybody leaves them switched on.
  [ link to this | view in chronology ]