Posted: 18th Apr, 2007 By: MarkJ
The 24Mbps ADSL2+ offering UK ISP 'Be' (BeThere) has kicked one of its customers, Sid Karunaratne, after he revealed a little too much about one of the providers security vulnerabilities:
BeThere took the retaliatory action four weeks after subscriber Sid Karunaratne demonstrated how the ISP's broadband routers can be remotely accessed by anyone curious enough to look for several poorly concealed backdoors. The hack makes it trivial to telnet into a modem and sniff users' VPN credentials, modify DNS settings and carry out other nefarious acts.
Alas, Karunaratne's February 22 posting originally included the specific password needed to carry out the attack - a tack from the "full disclosure" school of vulnerability reporting that is considered a no-no in many security circles. Less than 48 hours later, he removed the password information, but that didn't stop the ISP from exacting its retribution.
"We have carried out a full and diligent investigation into the alleged breach and your posting relating to it," a BeThere email informed Karunaratne. "Based on that investigation, we do not believe that there was (prior to your post) any such security breach. Therefore, the passwords could only have been obtained through illegal means (i.e. by hacking)."
The ISP also threatened Karunaratne with legal action if he attempted further accesses to their network or revealed more details to the public. Sadly the vulnerability itself still exists and 'Be' is busy working on a way to plug it without disrupting subscriber services.
The Register's coverage of the incident makes for an interesting read and while the ISPs response may have been harsh, Karunaratne should never have revealed the password itself.