ISP Kicks Out User Who Exposed Vulnerability; Doesn't Fix Vulnerability
from the blame-the-messenger dept
Over the past few years, there have been plenty of examples of companies with security vulnerabilities blaming the messenger when the vulnerabilities are pointed out, often threatening them with time in jail. The end result, of course, is that many security researchers are afraid to report vulnerabilities, as they may be blamed for them. Of course, that doesn't mean that others haven't found the same vulnerabilities and started using them for malicious purposes. The latest such case is pointed out by Broadband Reports and involves an ISP in the UK called BeThere. Apparently, a college student discovered and published a pretty major vulnerability found in the routers the company uses, allowing anyone to access the routers remotely. Rather than thank the customer for finding and highlighting a pretty serious vulnerability, the company has cut off his service and threatened him with lawsuits. Oh yeah, they also haven't bothered to fix the vulnerability -- despite it being published 7 weeks ago. The reasoning from the ISP is astounding. They claim that since they can't find any evidence that anyone ever used the vulnerability, he must have discovered it by "illegal" means. Who knew that simply probing for security vulnerabilities was illegal? And, of course, the ISP told the guy he's not allowed to talk about its legal threat to him -- which isn't actually legally binding. It's not clear if the ISP doesn't understand what it's done or simply doesn't want to fix the vulnerability -- but the fact that it seems to think it's ok to leave the vulnerability there and just cut off the guy who pointed it out should make other customers of BeThere wonder about how the ISP treats their security.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
What does the USA Patriot act have anythign to do with a United Kingdom ISP?
[ link to this | view in chronology ]
Huh?
IF he were in the US, maybe, but even then, does patriot make it illegal to look for security holes in the equipment a vendor provides for your use, on your property? If I have a door lock installed by a local locksmith, is it then illegal for me to attempt to open the door without the use of the key, in order to see if I've got my money's worth? Seems irrational to me, and if thats what the law says, then when called on it, the courts will (eventually) sort it out.
[ link to this | view in chronology ]
I think the first poster's point was that this would be a legitimate course of action for some areas of the world. I live in Canada, and my ISP's ToS states that I'm not allowed to probe any network for security holes. Surely, most (all?) other ISPs, in different parts of the world, have a similar policy. They have full rights to cut off his service, but whether or not they can sue him depends on the local laws, I suppose. It is pretty stupid that they have not fixed the vulnerability, however...
[ link to this | view in chronology ]
chances are the router is the property of the ISP, not located in your 'home'!!!
the 2nd issue is that in the UK, the legal threat that the ISP is using might very well have teeth. any legal mind from the UK care to comment.
as to how the ISP handles their security. who the hell knows. in all honesty, i've long ago stopped really trusting that companies will keep 'my' data absolutely secure over either the short or long term.
[ link to this | view in chronology ]
Re: by sam
chances are the router is the property of the ISP, not located in your 'home'!!!
Point one: that "broadband modem" you're using to access your cable or DSL internet connection is not a modem at all, but a consumer-grade router. "MODEM" is a mashup of "MOdulate/DEModulate", and by definition is converting digital data to an analog signal and back again. Digital connections like cable and DSL undergo no such conversions... but by the time these connections were available the IT community had just finally managed to teach everybody that the modem was the magic part that connected you to the rest of the world, and the name "modem" stuck (even though inaccurate) because it was less painful than reteaching everybody. Still, it is actually a router. Now you know. Moving on...
Point two: most broadband providers offer the option to purchase said "modem". I do not know, but certainly imagine the customer in this case took that option - meaning that he was dicking with his own property in his own home.
[ link to this | view in chronology ]
Re: Re: by sam
[ link to this | view in chronology ]
Re: Re: by sam
There's nothing stopping you from using your own ADSL2+ modem or router instead of the one they supply to you, of course.
[ link to this | view in chronology ]
Ravenous Bugblatter Beast of Traal defense.
[ link to this | view in chronology ]
If he found out...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
maybe....
[ link to this | view in chronology ]
This was black hat
Announcing the vulnerability to the router manufacturer, and its *existance* (not EXPLOIT DETAILS) to the public, and the ISP is one thing.
However, publicly detailing the specific exploit for a specific router owner is completely and utterly wrong.
This article is very biased towards the hacker - shouldn't be, as no white hat hacker would qualify how he did this.
[ link to this | view in chronology ]
If he had contacted the ISP and informed them that their "broadband routers can be remotely accessed by anyone curious enough to look for several poorly concealed backdoors" then the outcome may have been different. But, he decided that it would be better to make public postings about how to gain access past their security systems.
The ISP responded with a statement that no one had ever used the published passwords to gain access to their networks, so they are not sure about how he obtained them. A guess would be that he created the passwords while in an area that he should not have been in. They also threatened legal action if he ever tried to gain access to its networks/routers again, which seems to be a fair threat seeing as they cannot be sure that he would not try to get past their security again.
I agree that the ISP should fix this vulnerability, but why are they being ridiculed for stopping a know hacker from accessing their networks?
[ link to this | view in chronology ]
I just must be fortunate..
The only exception is when I was leeching from my father's Earthlink account; I had more problems simply telling their half-retarded "support" staff that their router was killing my connection if I used more than 30 connections at once and they told me that it was a "Windows resource problem"...the problem was that I was using a Silicon Graphics Indigo2, not a Windows machine. I can't imagine telling them they had a real problem.
[ link to this | view in chronology ]
I just hope...
I'm am so sick of companies thinking their shit does not and cannot stink. Security by obscurity does not work and even an entry level IT rookie (like me) knows that.
No offense to the other customers of the ISP but I hope someone will take advantage said vulnerabilities. Problem is they ISP will no doubt sue that guy claiming that the hacker must have found out about the vulnerability from that guy.
And from the post:
They claim that since they can't find any evidence that anyone ever used the vulnerability, he must have discovered it by "illegal" means.
Last I checked people that take advantage of vulnerabilities don't care wheather or not they were found legally or not. And don't hackers operate with the intent of not leaving any evidence behind? For all they know someone could have already gotten in and they are just waiting for this story to die down before striking.
[ link to this | view in chronology ]
Duh
Uhh.. ya... duh?
Analogy time!
Imagine some random person comes up to you:
"So I went up to your house to see if the door was unlocked, and it was. I took a look around inside, you know, just to see. Well I discovered that you have a security issue and all your belongings are at risk"
So not only is he guilty of trespassing but are you going to believe that he went into your house "just to look around" and that he did not take or alter anything? What was he doing checking your front door in the first place?
[ link to this | view in chronology ]
Re: Duh
A better analogy would be if you were renting an apartment and you tested the locks and found out they were ineffecient. You go to your landlord to mention your bad locks and instead of fixing them you get evicted and she/he threatens to sue you if you mention them to anyone.
[ link to this | view in chronology ]
Re: Re: Duh
[ link to this | view in chronology ]
Re: Duh
Analogy time!
Imagine some random person comes up to you:
Stop. Not your house. We're talking about a service provider. It's more like an apartment building, and the random person in question is also a tenant. It's more like he walked up to the landlord and said, "Are you sure it's a good idea to leave the master key for all of the apartments under the doormat out front?" and was evicted for his trouble.
[ link to this | view in chronology ]
BeThere, the ISP I currently use, provide a speedtouch router (called a bebox).
From what I understand this vulnerability is based on the fact that anyone using these passwords can telnet into anyone's bebox and change DNS settings etc.
Get this fact straight, the router resides in the customers home.
BeThere are claiming that the only way this guy could know these "secret" passwords is by hacking. As to what he hacked I'm not sure. The bebox? Their network?
From other articles it sounds liike they are saying he hacked the bebox, which he could actually purchase from BeThere and would therefore own. So if that's the case, what exactly did he do wrong? If he hacked their network I understand Be's position.
The fact is Be recently released a BIOS update that was designed to prevent remote users accessing the router they supply customers. The reason the security flaw has not been fixed is because the BIOS update fucked the router big time and locked people out, caused drop outs in connection or just failed to establish a connection full stop.
Now, that's the real reason they haven't fixed it yet. They don't know how.
More details here: http://www.theregister.com/2007/04/17/hackers_service_terminated/
[ link to this | view in chronology ]
hmmm
thats a decent analogy, but heres a better one based of yours
now you are renting a place w/ a few other people a friend comes by and has key to get in the place and just by chance tries the door but its unlocked, wouldnt it be nice for that friend to tell you that someone in the place left the door unlocked and something could've gotten stolen/damaged.
[ link to this | view in chronology ]
What to Do About BeThere
No, on second thought that would be a bad thing to do. It's really satisfying to contemplate, though. :-)
[ link to this | view in chronology ]
Re: What to Do About BeThere
[ link to this | view in chronology ]
Re: Re: What to Do About BeThere
because Be* is actually quite good otherwise? few UK ISPs offer such a fast service, and fewer still offer a genuinely unlimited one. their customer service staff actually interact with the customers, most of the time they listen, and they're flexible enough to do things lesser ISPs are reluctant to help out with (like change connection profiles (fastpath/interleaving/SNR/etc.)). incredibly useful to gamers, power users, etc..
some of the information in the article is inaccurate btw and the reality might make your mouths drop open a little more: this vulnerability has been known about for at least a year, and users have been helping each other to seal it via the official forums for about as long. so you can imagine how much controversy there is on this front.
also, Be* routers are provided by Thomson (they're part of the well known Speedtouch range) and it seems they *did* try to integrate a fix into a firmware update a few months ago, but Thomson made a pig's ear of it and Be* had to recall it. two days ago, it appears Be* remotely connected to all routers on their network and patched those that were still vulnerable. we're getting somewhere...and I think many customers are confident they'll learn from their dodgy mistakes. =D
thank goodness I've never even taken my Be* box out of it's cardboard box, that's all I'll say. never saw the point because I already had a superior Netgear DG834N.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I dunno where you go on to say people who report a vulnerability are scared to, lol, companies prefer you to send them directly to them, they get annoyed when you put it on the web without giving them a chance to fix them. In this case they where warned, but the fact is you can't post it on the internet when 14,000 people could get hacked it's just common sence, you remove the passwords and the IP's.
The ISP has to contact the modem provider, you ever dealt with Thompson? I guess not, well they aren't exactly the best firmware makers, though the blame is square on the ISP who's responsibility it is to make sure all customers are secure. I also blame the router provider for such a shabby router and not checking it themselves.
Oh and the vulnerability is fixed by the way, via them logging into all routers and closing the hole as said on their company forum.
[ link to this | view in chronology ]
Re:
Only if those routers were connected at two very specific times during one day. Not everybody leaves them switched on.
[ link to this | view in chronology ]