dslreports logo
site
spacer

spacer
 
   
spc
story category
ISP User Loses Service For Exposing Router Backdoor
Violated TOS, company still hasn't patched systems...
by Karl Bode 09:56AM Wednesday Apr 18 2007
UK ISP BeThere has terminated the broadband service of one of their customers for exposing several back doors in the router being used by the ISP. As the Register notes, the user posted the specific password needed to carry out the hack, which lets an attacker telnet into a router and sniff VPN credentials, modify DNS settings and "carry out other nefarious acts." He went back and removed the harmful information after 48 hours, but obviously the move was considered bad form by security researchers.

The company says the 21-year-old college student violated numerous provisions in the ISP's acceptable use policy. From said policy:
"You are responsible for ensuring that any member ID and/or password selected by you remain confidential so that the network cannot be used by any unauthorised person.

The member ID and/or password referred to include, but are not limited to, those controlling access to (a) any computer hardware systems or networks; (b) any computer software or applications; or (c) any other services accessed by you in the use of either of the above."
"According to our investigation, the modem vulnerability did not exist prior to his accessing without permission and then publishing certain confidential passwords which were not otherwise available to Be* members," says BeThere Managing Director Dana Pressman. Meanwhile, seven weeks have passed and the ISP hasn't fixed the vulnerability.

view:
topics flat nest 

buyaclue

@comcast.net

1 recommendation

The only good hacker is a dead hacker !

Obviously the hacker's intent was not good by publicly exposing a vulnerability. If his intentions were good all he had to do was confidentially contact the ISP and advise them that he illegally hacked their system... instead of telling folks how to hack the system.
BosstonesOwn

join:2002-12-15
Wakefield, MA

Re: The only good hacker is a dead hacker !

Taylor troll ! Ohh how we missed you....

RayW
Premium
join:2001-09-01
Layton, UT
kudos:1

Wiggle

"According to our investigation, the modem vulnerability did not exist prior to his accessing without permission and then publishing certain confidential passwords which were not otherwise available to Be* members," says BeThere Managing Director Dana Pressman.

I wonder if the password is the same on all units? If so, then I suspect that there is grounds for a lawsuit since anyone with that router can gain that information. If it is unique to each Router, then he does not have a leg to stand on. Granted backdoors are bad, but if it is a unique password then it falls under the AUP
--
I am not lost, I find myself every time.

bigunk
Gort, Klattu Birada Nikto

join:2001-02-10
USA

1 recommendation

Re: Wiggle

said by RayW:

"According to our investigation, the modem vulnerability did not exist prior to his accessing without permission and then publishing certain confidential passwords which were not otherwise available to Be* members," says BeThere Managing Director Dana Pressman.
The vulnerability did not exist prior to....? Makes no sense. Pardon me if you think I am parsing words, but saying something didn't exist prior to it being accessed is a real head-in-the-sand approach to all this. In a warped kind way, he might have done them a favor. For all we know, he might have found the problem and told them but was dismissed by the almighty ISP techs. So he went public with the info to show there was indeed something that needed attention.

We have seen multiple instances of this behavior. If you will recall, there was that guy, Mike Lynn I think, who did that to Cisco. Cisco screamed bloody murder and subverted the legal process to get what they wanted.

What I am getting at is there are people with both good and bad intentions out there, and both should be listened to.
--
There is not a man in the country that can't make a living for himself and family. But he can't make a living for them AND his government, the way his government is living. What the government has got to do is live as cheap as the people.
- Will Rogers

RayW
Premium
join:2001-09-01
Layton, UT
kudos:1

Re: Wiggle

But the question is, is it just his password, or do they use it on ALL the routers as a backdoor? AUP specifies you keep your passwords safe, I do not know how that applies if it is a global password that Bubba down the street can use against all users of BeThere or if British law even allows a differentiation between the two concepts.
--
I am not lost, I find myself every time.

en102
Canadian, eh?

join:2001-01-26
Valencia, CA
Does anyone remember back in the Windows NT4 days when a hacker exposed the TCP buffer issues in Windows which caused a BSOD, and spawned the nice app known as 'WinNuke'? Microsoft dismissed this originally.

RayW
Premium
join:2001-09-01
Layton, UT
kudos:1

Re: Wiggle

said by en102:

Does anyone remember back in the Windows NT4 days when a hacker exposed the TCP buffer issues in Windows which caused a BSOD, and spawned the nice app known as 'WinNuke'? Microsoft dismissed this originally.
Or even earlier, AT&T telling the US gov that the "Blue Box" was impossible?

We can come up with all sorts of 'head in the sand' stories down through history, all in the name of money, power, or loss of face.
--
I am not lost, I find myself every time.

en102
Canadian, eh?

join:2001-01-26
Valencia, CA

Re: Wiggle

Just because investigating these holes are against TOS, doesn't mean they don't exist. Some are big enough to drive a truck through, and if companies aren't aware, less 'benign' hacking in the form of awareness can cause issues with much more impact.

tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·G4 Communications
·Fairpoint Commun..
·Hollis Hosting
said by RayW:

AT&T telling the US gov that the "Blue Box" was impossible?
Interesting quote.

AT&T know when they decided on using in-band signalling rather then out-of-band for long distance it was vulnerable to hacking. They chose it because it was cheaper. Remember back in those days telephone computing was done with relays.

/Tom

cableties
Premium
join:2005-01-27

1 recommendation

21-year-old college student violated ...

That sums it up quite well.

[IMHO]
What do they teach in college nowadays? Not logic and responsibility.
A 15yr old I could see doing this...but come on. Serious lack of common sense...yes?

FFH
Premium
join:2002-03-03
Tavistock NJ
kudos:5

1 recommendation

Re: 21-year-old college student violated ...

said by cableties:

That sums it up quite well.

[IMHO]
What do they teach in college nowadays? Not logic and responsibility.
A 15yr old I could see doing this...but come on. Serious lack of common sense...yes?
And so-called security researchers are often nothing but publicity seeking hackers or workers for companies looking to sell their security services by advertising the holes they promise to plug.
--
--
My BLOG
My Web Page

RadioDoc
Premium,ExMod 2000-03
join:2000-05-11
La Grange, IL
kudos:2

Re: 21-year-old college student violated ...

Well said.

en102
Canadian, eh?

join:2001-01-26
Valencia, CA

1 recommendation

Geez... when I was in College (Canada), we had a competition with the profs. Those that could hack into Novell server would not have to write the final exam (exemption). Also, we had our own 'tests' of WinNuke in the college lab and played with 'live' viruses on the lan to study them, and how they worked. Of course, we segmented off our lan

Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL

Sue for weak security

I think if a system can be demonstrated to be hackable, then the people who designed the system need to recognise their fallibility and go back to the drawing board. Demonstrating a weakness in security should not, within itself, be a crime.
If someone points out the locks on my door can be picked, or a window on my house can be easily opened, but he doesn't actually break in, should (s)he go to jail for showing the weakness in my home security?
--
"Padre, nobody said war was fun now bowl!" - Sherman T Potter

»www.cafepress.com/maxolasersquad

»maxolasersquad.com/

»maxolasersquad.com/network/ My DSL Network Guide

»myspace.com/mlsquad
BosstonesOwn

join:2002-12-15
Wakefield, MA

Re: Sue for weak security

No! But with these people now a days prosecuting and reinterpreting laws who the hell knows what is and is not illegal.
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!"

ROCINANTE
Original Member 007
Premium
join:1999-06-29
Hartsdale, NY
More invalid analogies, but we should switch the focus to anyone's house rather than just your house. He could be charged with at least trespassing if he was not granted permission to attempt to pick the locks. This can escalate to criminal mischief if he damages your locks or window and that would lead to attempted burglary. He does not have to break in to be arrested. It would be difficult for him to prove his intentions since he did not ask for permission in the first place.
--
CRUNCH THIS!

Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL

Re: Sue for weak security

Considering the modem was at his house. If he damaged the modem I could see him being charged for the cost of modem, just like anyone else who damages the ISPs equipment.
I think my analogy stands. Like the guy who was arrested because he discovered the black marker on the CD would bypass the DRM, or holding down the shift key or turning off autorun. This is bypassing weak security but being charged like a criminal just because it was so damn easy.
--
"Padre, nobody said war was fun now bowl!" - Sherman T Potter

»www.cafepress.com/maxolasersquad

»maxolasersquad.com/

»maxolasersquad.com/network/ My DSL Network Guide

»myspace.com/mlsquad

jester121
Premium
join:2003-08-09
Lake Zurich, IL
Wow, what a leap of logic....

(Except that we're not talking about criminal prosecution here, -- HE JUST GOT HIS INTERNET SERVICE SHUT OFF!!!)

Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL

Re: Sue for weak security

said by jester121:

HE JUST GOT HIS INTERNET SERVICE SHUT OFF
On that note, I do stand corrected. There was not any criminal prosecution.
Ahrenl

join:2004-10-26
North Andover, MA

Re: Sue for weak security

Although in the states it would have been illegal under the DMCA{? correct acronym}. I believe attempting to break into anything that has been secured is criminal. Regardless if the security is a piece of kite string holding a door half closed.

Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL

Re: Sue for weak security

I would agree breaking into physical locations should be criminal. I don't agree that breaking into your own personal property, like cracking the DRM on a CD/DVD you purchased, should be criminal.

JammerMan79
Premium,VIP
join:2004-05-13
Prince George, BC
kudos:10
Wrong... he should sue for breach of contract on the companies part...

"You are responsible for ensuring that any member ID and/or password selected by you remain confidential so that the network cannot be used by any unauthorised person. "

Wasn't this a password selected by the company?
--
I may work for, but do not necessarily represent the views and beliefs of TELUS Communications.

maartena
Elmo
Premium
join:2002-05-10
Orange, CA
kudos:2

He already committed the crime...

This is the same as stealing something from a store, and then bringing it back 2 days later pointing out the security flaws of anti-theft system the shop has in place.

At that point he already committed the crime.
--
"Any society that would give up a little liberty to gain a little security will deserve neither and lose both" -
Benjamin Franklin, Founding Father.

karlmarx

join:2006-09-18
Chicago, IL

He committed no crime

The fact that the ISP used a single password for all their routers isn't his fault, he has EVERY right to publish it. Look at it this way, if only HIS router used the password, and he published it, do you think the ISP would care? Certainly not.
The fact that the ISP is too dumb to secure their own equipment isn't the users fault. At least in the US, he has EVERY RIGHT to publish an expose on the ISP's failure. And I would applaud him for doing so. This 'hack' forces the ISP to provide REAL security, instead of relying on a simple, clear text telnet password.
--
Stick it to the MAN. Support your local torrent sites. Proudly providing 100mb of upstream for all your TV, Movie, and MP3 needs.

battleop

join:2005-09-28
00000

Re: He committed no crime

But when the ISP spends the money to upgrade the routers who is going to be the first to bitch about any rate increases to cover these expenses? Not every ISP has the mega huge deep pockets that AT&T and Comcast enjoy. The guy was in the wrong.

If you want cheap free routers included with your service then you need to expect that the ISP is going to buy the cheapest router they can.
AJICQ499087

join:2001-12-01
Louisville, KY

Re: He committed no crime

Hey, the kid has talent. The ISP should consider hiring the kid!
--
low cost and fast speed is what customers want in broadband

Stormsinger

@swbell.net

Re: He committed no crime

said by AJICQ499087:

Hey, the kid has talent. The ISP should consider hiring the kid!
He may have talent...there's nowhere near enough information available to anyone here to tell. However, he's clearly demonstrated a serious lack of common sense and ethics. I wouldn't hire him for anything more than lawn maintenance, or janitorial work. Scratch that, even janitorial work might give him access to information that shouldn't be released to the public, and I'd rather have a janitor that would refrain from revealing any business secrets that were sitting on a desk or in the trash.

dwhayden

join:2000-12-23
Greenwood, IN

Idiot Hacker

Many years ago I discovered a security backdoor to my ISPs remote access server where I had gained full rights over the system. I made the decision to call the ISP instead of telling everyone else how to hack it. They hooked me up with the head engineer, and we worked together to plug the hole. The ISP was very grateful for the information, and gave me a year free access.

This stupid hacker took a security vulnerability, and made it much worse by publishing the how-to with passwords. The ISP was well within its rights to terminate this idiot's service. Hopefully charges will be filed against him for hacking since it's so obvious his motivation was not to protect the ISP and its subs, but to gain recognition.
openbox9
Premium
join:2004-01-26
Germany
kudos:2

Re: Idiot Hacker

said by dwhayden:

I made the decision to call the ISP instead of telling everyone else how to hack it.
This is generally the "socially accepted" avenue to taken by white hats and in general, better for the overall community than telling the whole world about the vulnerabilities. What this guy did is more black hat and he does deserve the consequences. Now if you had received little or no response from your ISP regarding the situation, the area becomes a little more grey, and usually you'll see the vulnerabilities published in an attempt to 'force' a response.
gworkman7

join:2005-10-18
Laveen, AZ

Re: Idiot Hacker

User: Admin
Pass: 1234

Not very secure, but that was how my ISP was shipping their modems a couple of years back. They were counting on self-installers to change the password when they got the modems.
openbox9
Premium
join:2004-01-26
Germany
kudos:2

Re: Idiot Hacker

And both you and your ISP knew about this insecurity. Same practice as almost every networking device sold. It's not the same as looking for, or discovering a "vulnerability" and then contacting the responsible party for a fix...or worse yet, posting it on the net for potential malicious activity.
snatman

join:2003-02-22
Virginia, MN
"12345! Amazing, I got the same combination on my luggage!" /Spaceballs

fuziwuzi
Not born yesterday
Premium
join:2005-07-01
Atlanta, GA

stop jumping to conclusions...

We haven't been told whether or not the guy tried to inform the ISP of the problem before he published the issue. Also, it is rather vague that he violated the stated AUP since the password WAS available to all the ISPs customers (that was the whole problem!).

The way it looks is that someone at the ISP is simply trying to CYA and passing the blame off on the (former) customer instead of taking any responsibility for their own boneheadedness.