ISP ejects whistle-blowing student
BeThere's damage control found lacking
A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers.
BeThere took the retaliatory action four weeks after subscriber Sid Karunaratne demonstrated how the ISP's broadband routers can be remotely accessed by anyone curious enough to look for several poorly concealed backdoors. The hack makes it trivial to telnet into a modem and sniff users' VPN credentials, modify DNS settings and carry out other nefarious acts.
Alas, Karunaratne's February 22 posting originally included the specific password needed to carry out the attack - a tack from the "full disclosure" school of vulnerability reporting that is considered a no-no in many security circles. Less than 48 hours later, he removed the password information, but that didn't stop the ISP from exacting its retribution.
"We have carried out a full and diligent investigation into the alleged breach and your posting relating to it," a BeThere email informed Karunaratne. "Based on that investigation, we do not believe that there was (prior to your post) any such security breach. Therefore, the passwords could only have been obtained through illegal means (i.e. by hacking)."
Evidently, the mere tinkering with a modem constitutes "illegal means." That's a remarkable determination for any technology-related company, but especially so in this case given the niche that BeThere aims to fill: The ISP caters to power users by offering speeds as high as 24 Mbps down and 2.5 Mbps up.
The email went on to "reserve the right to institute legal proceedings" if Karunaratne accessed BeThere's network again or made additional publications that included passwords related to the ISP. BeThere also sought to prevent Karunaratne from going public with the termination. "This letter is confidential and we do not consent to any publication of the details of our dispute with you or this letter in any forum whatsoever," it warned.
(In a generous concession, it added: "We agree that you may disclose the contents of this letter to your legal counsel or advisor.")
Unfortunately, BeThere hasn't shown the same diligence in repairing the vulnerability, which remains unmitigated more than seven weeks after Karunaratne revealed it. The company says rolling out a patch in a way that doesn't disrupt subscribers' existing service takes time and that it expects to begin pushing out a fix in the next week or so.
The company has made no public disclosures of the vulnerability and has offered no temporary workarounds, again, managers say, because they don't want to do anything that will degrade customer experience.
The company says in a statement it canceled Karunaratne's account because he violated numerous terms of service, including failing to take reasonable steps necessary to prevent third parties from obtaining unauthorized access to the BeThere network.
"According to our investigation, the modem vulnerability did not exist prior to his accessing without permission and then publishing certain confidential passwords which were not otherwise available to Be* members," Managing Director Dana Pressman said.
They say time heals all wounds, and for Karunaratne, a state of Zen-inspired acceptance has settled in, even if he has to surf the web at significantly slower speeds. "I knew that some companies treated security researchers very badly but I had no idea companies like that included major ISPs," he says. (Note: BeThere has only a fraction the number of subscribers of huge ISPs of BT or AT&T.) "I've learned just how ill-prepared some companies are and what they will do to make the problem go away." ®
From another perspective
I'm a Be member, have been since the first trials. Couple of things I'd like to say:
First off, Be aren't a big ISP. Secondly, their service (for me and the many colleagues at work I've recommended it too) freakin love it. Its fast, they dont mind when you use it and how, low latency and 1.4 meg upload. If you dont mind that their customer services seems not very helpfull* + tech department seem a little naive, I'd not let this put you off.
The routers aren't ours, Be supply them. You dont have to use them, but you get no support if you dont.
Thomson write the firmware, its a very extensive and configurable from the command line and it makes a lot of sense for an ISP like Be to be able to tweak and diagnose problems in this manner. Sky do something similar.
The real problem is that the passwords for these hidden accounts are easily extracted from the config. That (imo) is a design WTF from Thomson, who took an absolute age to make a firmware with a web interface that supports IE 7 (iirc, this was the failed upgrade from before..).
Ideally, each unit should have had a unique salt built into the hardware. Would have cost about £0.10p. Be could then have loaded their config in plaintext; any following dumps would have passwords encrypted with the hardware salt.
I do think getting cut off was a bit harsh, although the guy clearly didnt help himself by not clearly outlining to Be that
a) there was a problem with their device
b) it should be fixed in a timely manner
and c) in <some time> I will disclose this information to buqtraq@securityfocus
Disabling Telnet access doesn't work
I'm a Be customer, and rather shocked to say the least about this, especially since according to the forums at Be, it's been a known flaw for some time (months, if not years). Basically anyone with the Be provided modem have been susceptible to DNS poisoning etc for some time. I'm glad this guy revealed the flaw, as it pushed me to fix mine - publishing the passwords was foolish.
Disabling Telnet access from the web interface doesn't work. or rather only works to disable the "Administrator" account - the hidden ones still work. Someone has pointed out earlier how to apply the fix through the CLI. Another post on the Be forums has a fix that seems to be easier than entering the CLI - use the web interface to port forward the impacted ports to a dead local IP address.
There are bound to be other users out there who don't read El Reg, or the Be forums and are now sitting vulnerable. No idea or indication what will happen to address that one!
In reply to several comments
"If you go round the back there is a window on the ground floor that is loose. Just give it a kick and your in. Dont worry, there are no houses overlooking and they dont have an alarm. They are out between X and Y. Im just doing this so that they get it fixed"?
Its the same thing.
No its not the same thing, and if you want to use analogies, here's a better one:
If you go to this considerably sized city, which a single property developer built, you'll find that the property developer left a set of keys under every doormat - some people have removed them, but 14 thousand people still don't know they're there.
As bappy said; Sid did not have any malicious intent, that much is certain.
And whoever is trying to say this came out of a concentrated effort to compromise BeThere, you are completely mistaken - this came from someone else informing him they'd scanned his box and he had telnet running - and him simply investigating his config file and finding the details.
For anyone who wants to see the post where he disclosed it, it is here: http://blogs.securiteam.com/index.php/archives/826