dslreports logo
 story category
ISP User Loses Service For Exposing Router Backdoor
Violated TOS, company still hasn't patched systems...

UK ISP BeThere has terminated the broadband service of one of their customers for exposing several back doors in the router being used by the ISP. As the Register notes, the user posted the specific password needed to carry out the hack, which lets an attacker telnet into a router and sniff VPN credentials, modify DNS settings and "carry out other nefarious acts." He went back and removed the harmful information after 48 hours, but obviously the move was considered bad form by security researchers.

The company says the 21-year-old college student violated numerous provisions in the ISP's acceptable use policy. From said policy:

"You are responsible for ensuring that any member ID and/or password selected by you remain confidential so that the network cannot be used by any unauthorised person.

The member ID and/or password referred to include, but are not limited to, those controlling access to (a) any computer hardware systems or networks; (b) any computer software or applications; or (c) any other services accessed by you in the use of either of the above."

"According to our investigation, the modem vulnerability did not exist prior to his accessing without permission and then publishing certain confidential passwords which were not otherwise available to Be* members," says BeThere Managing Director Dana Pressman. Meanwhile, seven weeks have passed and the ISP hasn't fixed the vulnerability.

view:
topics flat nest 

buyaclue
@comcast.net

1 recommendation

buyaclue

Anon

The only good hacker is a dead hacker !

Obviously the hacker's intent was not good by publicly exposing a vulnerability. If his intentions were good all he had to do was confidentially contact the ISP and advise them that he illegally hacked their system... instead of telling folks how to hack the system.
BosstonesOwn
join:2002-12-15
Wakefield, MA

BosstonesOwn

Member

Re: The only good hacker is a dead hacker !

Taylor troll ! Ohh how we missed you....

RayW
Premium Member
join:2001-09-01
Layton, UT

RayW

Premium Member

Wiggle

"According to our investigation, the modem vulnerability did not exist prior to his accessing without permission and then publishing certain confidential passwords which were not otherwise available to Be* members," says BeThere Managing Director Dana Pressman.

I wonder if the password is the same on all units? If so, then I suspect that there is grounds for a lawsuit since anyone with that router can gain that information. If it is unique to each Router, then he does not have a leg to stand on. Granted backdoors are bad, but if it is a unique password then it falls under the AUP

bigunk
Gort, Klattu Birada Nikto
join:2001-02-10
USA

1 recommendation

bigunk

Member

Re: Wiggle

said by RayW:

"According to our investigation, the modem vulnerability did not exist prior to his accessing without permission and then publishing certain confidential passwords which were not otherwise available to Be* members," says BeThere Managing Director Dana Pressman.
The vulnerability did not exist prior to....? Makes no sense. Pardon me if you think I am parsing words, but saying something didn't exist prior to it being accessed is a real head-in-the-sand approach to all this. In a warped kind way, he might have done them a favor. For all we know, he might have found the problem and told them but was dismissed by the almighty ISP techs. So he went public with the info to show there was indeed something that needed attention.

We have seen multiple instances of this behavior. If you will recall, there was that guy, Mike Lynn I think, who did that to Cisco. Cisco screamed bloody murder and subverted the legal process to get what they wanted.

What I am getting at is there are people with both good and bad intentions out there, and both should be listened to.

RayW
Premium Member
join:2001-09-01
Layton, UT

RayW

Premium Member

Re: Wiggle

But the question is, is it just his password, or do they use it on ALL the routers as a backdoor? AUP specifies you keep your passwords safe, I do not know how that applies if it is a global password that Bubba down the street can use against all users of BeThere or if British law even allows a differentiation between the two concepts.

en102
Canadian, eh?
join:2001-01-26
Valencia, CA

en102 to RayW

Member

to RayW
Does anyone remember back in the Windows NT4 days when a hacker exposed the TCP buffer issues in Windows which caused a BSOD, and spawned the nice app known as 'WinNuke'? Microsoft dismissed this originally.

RayW
Premium Member
join:2001-09-01
Layton, UT

RayW

Premium Member

Re: Wiggle

said by en102:

Does anyone remember back in the Windows NT4 days when a hacker exposed the TCP buffer issues in Windows which caused a BSOD, and spawned the nice app known as 'WinNuke'? Microsoft dismissed this originally.
Or even earlier, AT&T telling the US gov that the "Blue Box" was impossible?

We can come up with all sorts of 'head in the sand' stories down through history, all in the name of money, power, or loss of face.

en102
Canadian, eh?
join:2001-01-26
Valencia, CA

en102

Member

Re: Wiggle

Just because investigating these holes are against TOS, doesn't mean they don't exist. Some are big enough to drive a truck through, and if companies aren't aware, less 'benign' hacking in the form of awareness can cause issues with much more impact.

tschmidt
MVM
join:2000-11-12
Milford, NH
·Consolidated Com..
·Republic Wireless
·Hollis Hosting

tschmidt to RayW

MVM

to RayW
said by RayW:

AT&T telling the US gov that the "Blue Box" was impossible?
Interesting quote.

AT&T know when they decided on using in-band signalling rather then out-of-band for long distance it was vulnerable to hacking. They chose it because it was cheaper. Remember back in those days telephone computing was done with relays.

/Tom

cableties
Premium Member
join:2005-01-27

1 recommendation

cableties

Premium Member

21-year-old college student violated ...

That sums it up quite well.

[IMHO]
What do they teach in college nowadays? Not logic and responsibility.
A 15yr old I could see doing this...but come on. Serious lack of common sense...yes?

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

1 recommendation

FFH5

Premium Member

Re: 21-year-old college student violated ...

said by cableties:

That sums it up quite well.

[IMHO]
What do they teach in college nowadays? Not logic and responsibility.
A 15yr old I could see doing this...but come on. Serious lack of common sense...yes?
And so-called security researchers are often nothing but publicity seeking hackers or workers for companies looking to sell their security services by advertising the holes they promise to plug.

RadioDoc

join:2000-05-11
La Grange, IL

RadioDoc

Re: 21-year-old college student violated ...

Well said.

en102
Canadian, eh?
join:2001-01-26
Valencia, CA

1 recommendation

en102 to FFH5

Member

to FFH5
Geez... when I was in College (Canada), we had a competition with the profs. Those that could hack into Novell server would not have to write the final exam (exemption). Also, we had our own 'tests' of WinNuke in the college lab and played with 'live' viruses on the lan to study them, and how they worked. Of course, we segmented off our lan

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

Maxo

Premium Member

Sue for weak security

I think if a system can be demonstrated to be hackable, then the people who designed the system need to recognise their fallibility and go back to the drawing board. Demonstrating a weakness in security should not, within itself, be a crime.
If someone points out the locks on my door can be picked, or a window on my house can be easily opened, but he doesn't actually break in, should (s)he go to jail for showing the weakness in my home security?
BosstonesOwn
join:2002-12-15
Wakefield, MA

BosstonesOwn

Member

Re: Sue for weak security

No! But with these people now a days prosecuting and reinterpreting laws who the hell knows what is and is not illegal.

ROCINANTE
Original Member 007
Premium Member
join:1999-06-29
Hartsdale, NY

ROCINANTE to Maxo

Premium Member

to Maxo
More invalid analogies, but we should switch the focus to anyone's house rather than just your house. He could be charged with at least trespassing if he was not granted permission to attempt to pick the locks. This can escalate to criminal mischief if he damages your locks or window and that would lead to attempted burglary. He does not have to break in to be arrested. It would be difficult for him to prove his intentions since he did not ask for permission in the first place.

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

Maxo

Premium Member

Re: Sue for weak security

Considering the modem was at his house. If he damaged the modem I could see him being charged for the cost of modem, just like anyone else who damages the ISPs equipment.
I think my analogy stands. Like the guy who was arrested because he discovered the black marker on the CD would bypass the DRM, or holding down the shift key or turning off autorun. This is bypassing weak security but being charged like a criminal just because it was so damn easy.

jester121
Premium Member
join:2003-08-09
Lake Zurich, IL

jester121 to Maxo

Premium Member

to Maxo
Wow, what a leap of logic....

(Except that we're not talking about criminal prosecution here, -- HE JUST GOT HIS INTERNET SERVICE SHUT OFF!!!)

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

Maxo

Premium Member

Re: Sue for weak security

said by jester121:

HE JUST GOT HIS INTERNET SERVICE SHUT OFF
On that note, I do stand corrected. There was not any criminal prosecution.
Ahrenl
join:2004-10-26
North Andover, MA

Ahrenl

Member

Re: Sue for weak security

Although in the states it would have been illegal under the DMCA{? correct acronym}. I believe attempting to break into anything that has been secured is criminal. Regardless if the security is a piece of kite string holding a door half closed.

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

Maxo

Premium Member

Re: Sue for weak security

I would agree breaking into physical locations should be criminal. I don't agree that breaking into your own personal property, like cracking the DRM on a CD/DVD you purchased, should be criminal.

JammerMan79
Premium Member
join:2004-05-13
Prince George, BC

JammerMan79 to Maxo

Premium Member

to Maxo
Wrong... he should sue for breach of contract on the companies part...

"You are responsible for ensuring that any member ID and/or password selected by you remain confidential so that the network cannot be used by any unauthorised person. "

Wasn't this a password selected by the company?

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

maartena

Premium Member

He already committed the crime...

This is the same as stealing something from a store, and then bringing it back 2 days later pointing out the security flaws of anti-theft system the shop has in place.

At that point he already committed the crime.

karlmarx
join:2006-09-18
Moscow, ID

karlmarx

Member

He committed no crime

The fact that the ISP used a single password for all their routers isn't his fault, he has EVERY right to publish it. Look at it this way, if only HIS router used the password, and he published it, do you think the ISP would care? Certainly not.
The fact that the ISP is too dumb to secure their own equipment isn't the users fault. At least in the US, he has EVERY RIGHT to publish an expose on the ISP's failure. And I would applaud him for doing so. This 'hack' forces the ISP to provide REAL security, instead of relying on a simple, clear text telnet password.

battleop
join:2005-09-28
00000

battleop

Member

Re: He committed no crime

But when the ISP spends the money to upgrade the routers who is going to be the first to bitch about any rate increases to cover these expenses? Not every ISP has the mega huge deep pockets that AT&T and Comcast enjoy. The guy was in the wrong.

If you want cheap free routers included with your service then you need to expect that the ISP is going to buy the cheapest router they can.
AJICQ499087
join:2001-12-01
Louisville, KY

AJICQ499087

Member

Re: He committed no crime

Hey, the kid has talent. The ISP should consider hiring the kid!

Stormsinger
@swbell.net

Stormsinger

Anon

Re: He committed no crime

said by AJICQ499087:

Hey, the kid has talent. The ISP should consider hiring the kid!
He may have talent...there's nowhere near enough information available to anyone here to tell. However, he's clearly demonstrated a serious lack of common sense and ethics. I wouldn't hire him for anything more than lawn maintenance, or janitorial work. Scratch that, even janitorial work might give him access to information that shouldn't be released to the public, and I'd rather have a janitor that would refrain from revealing any business secrets that were sitting on a desk or in the trash.

dwhayden
join:2000-12-23
Greenwood, IN

dwhayden

Member

Idiot Hacker

Many years ago I discovered a security backdoor to my ISPs remote access server where I had gained full rights over the system. I made the decision to call the ISP instead of telling everyone else how to hack it. They hooked me up with the head engineer, and we worked together to plug the hole. The ISP was very grateful for the information, and gave me a year free access.

This stupid hacker took a security vulnerability, and made it much worse by publishing the how-to with passwords. The ISP was well within its rights to terminate this idiot's service. Hopefully charges will be filed against him for hacking since it's so obvious his motivation was not to protect the ISP and its subs, but to gain recognition.
openbox9
Premium Member
join:2004-01-26
71144

openbox9

Premium Member

Re: Idiot Hacker

said by dwhayden:

I made the decision to call the ISP instead of telling everyone else how to hack it.
This is generally the "socially accepted" avenue to taken by white hats and in general, better for the overall community than telling the whole world about the vulnerabilities. What this guy did is more black hat and he does deserve the consequences. Now if you had received little or no response from your ISP regarding the situation, the area becomes a little more grey, and usually you'll see the vulnerabilities published in an attempt to 'force' a response.
gworkman
join:2005-10-18
Las Vegas, NV

gworkman

Member

Re: Idiot Hacker

User: Admin
Pass: 1234

Not very secure, but that was how my ISP was shipping their modems a couple of years back. They were counting on self-installers to change the password when they got the modems.
openbox9
Premium Member
join:2004-01-26
71144

openbox9

Premium Member

Re: Idiot Hacker

And both you and your ISP knew about this insecurity. Same practice as almost every networking device sold. It's not the same as looking for, or discovering a "vulnerability" and then contacting the responsible party for a fix...or worse yet, posting it on the net for potential malicious activity.
snatman
join:2003-02-22
Virginia, MN

snatman to gworkman

Member

to gworkman
"12345! Amazing, I got the same combination on my luggage!" /Spaceballs

fuziwuzi
Not born yesterday
Premium Member
join:2005-07-01
Palm Springs, CA
Hitron EN2251
Nest H2D

fuziwuzi

Premium Member

stop jumping to conclusions...

We haven't been told whether or not the guy tried to inform the ISP of the problem before he published the issue. Also, it is rather vague that he violated the stated AUP since the password WAS available to all the ISPs customers (that was the whole problem!).

The way it looks is that someone at the ISP is simply trying to CYA and passing the blame off on the (former) customer instead of taking any responsibility for their own boneheadedness.